GlassWire is a Beautiful Network Monitor and Firewall for Windows

One trait that’s a rarity among Windows applications is beauty. However, every once in a while there comes an app that stands out and makes you take notice due to its well thought out design and interface. GlassWire is one such app.


GlassWire is a free network and bandwidth monitor and firewall. There’s no shortage of similar apps for Windows; however, almost all of them are a confusing mess of complexity that would scare away anyone who is not tech-savvy. GlassWire on the other hand is brilliant in its simplicity.

There are only four tabs – Graph, Firewall, Usage, and Alerts. The Graph section shows a continuous stream of your network activity. You can see your total internet activity or drill down on type of traffic and application.

GlassWire - Graph
GlassWire – Graph

The Firewall tab allows you to quickly block an app from using your internet connection. It lists all apps that are connected or have connected to the internet, along with details about the host that it is connecting to. If you see something that you don’t like you can instantly bock that app by clicking on the fire icon next to it. GlassWire itself doesn’t have a Firewall engine. Instead, it sits on top of the Windows Firewall and provides an interface to control the Windows Firewall.

GlassWire - Firewall
GlassWire – Firewall

The Usage tab gives a detailed report on the internet usage pattern of every app. You will be able to see exactly who your app has been communicating with and how much data they are sending out. GlassWire also has an Incognito Mode for the times when you don’t want your activity to be recorded. It’s also pretty straight forward to delete reports, in case you want to keep some stuff off the books.

GlassWire - Usage
GlassWire – Usage

Finally, there’s a pretty versatile Alerts feature, which provides you a wide range of alert including first network activity, excessive bandwidth usage, host files modification, and suspicious host connection. There’s also an option to remotely observe another system’s activity.

It’s still early days for GlassWire, and there’s undoubtedly room for improvement. The Firewall tab simply lists all the processes that are transferring data over the internet. It will be a lot more useful it also integrated with something like ProcessLibrary to show more information about each app/process. There are also a few UI glitches that show up at various resolutions.

GlassWire - Alerts
GlassWire – Alerts

The absence of advanced features found in most third-party firewalls might put off power users, but GlassWire does just enough to be useful to a large section of users, who might get annoyed or confused by a full-fledged firewall. GlassWire does a good job at keeping things simple and exposing a lot of useful information without being confusing.

[ Download GlassWire ]
Image Credit: Crackers by elhombredenegro

Kaspersky Tops Antivirus Shootout, Windows Defender Worst of the Lot

Anti-virus software is no longer a catch-all solution for your security due to the multitude of new vectors. However, it still makes sense to have an effective anti-virus software installed on your system. Renowned security testing lab Av-Test put 25 consumer antivirus-solutions through the wringer to determine how well they perform in real-world scenarios on Windows 8.1.

All the security apps were graded on three criteria – Protection, Performance, and Usability. The first criterion is an indication of the detection rate. Each security software was tested on a system with 20,646 known (malware that have been widespread and prevalent in the last four weeks) and 138 unknown samples. The Performance score is based on the amount of impact the security software had on the system performance, while usability is determined by the amount of false positives.

The good news is that most of the antivirus suites performed pretty well, with only three tools ending up with a detection rate below 94% on unknown malware. The average detection rate for known malware was 98%. The bad news is that Microsoft Windows Defender, which ships with Windows 8.1 performed abysmally. It was the worse of the lot scoring 0 points in protection. The other two poor performers in the heuristics test were the Tencent PC Manager and AhnLab V3 Internet Security. Even popular third-party freeware products like AVG and Avast performed relatively poorly. Panda Cloud Antivirus and Qihoo 360 Internet Security were the top performing free antivirus software.

Windows Defender Protection Results

The overall top performer was Kaspersky Internet Security 2014, which obtained a perfect score of 18. Qihoo, McAfee, Bitdefender and Avira scored 17.5 points. As many as nine antimalware apps got a perfect score in the detection tests. The high score were undoubtedly influenced by Av-Test’s decision to use only widespread and prevalent malware for the known samples test, but it also makes Windows Defender’s mere 79% detection rate look even worse.

Av-Test Antivirus Shootout Results helps consumers protect personal information online

As part of World Password Day earlier this week, McAfee and its partners started an effort to help educate consumers worldwide on the importance of password safety in the wake of the multiple global security breaches. Continue reading helps consumers protect personal information online

TruePlex for Android Shows How Risky Your Installed Apps Are

Earlier today, the FTC announced the terms of its settlement with the free torch app “Brightest Flashlight”, which had surreptitiously collected real-time location data of its users and sold to advertisers. Although Android doesn’t allow you to modify the permissions that an installed app has, Google does display the permissions that an app is requesting before you install the app. A privacy breach like the “Brightest Flashlight” incident can easily be avoided by paying attention to the permissions that an app requests. For example, there is no valid reason for a torch app to access your location. If you find that an app requests more permissions than justifiable, it might be best to simply avoid it and pick a less nosy alternative.

The trouble is that if you have been using Android for a while, you must have already installed dozens of apps. Manually reviewing their permissions is a cumbersome process that very few users will be willing to undertake. This is where a new app called TruePlex can help.


TruePlex is a new app which does one simply thing. Once installed, it cross-references the apps installed on your phone with its database, and generates a report with a rating (lower is better) for each identified app. The rating is based on the amount of access the app has to private data. A higher rating doesn’t necessarily mean that there is something is wrong, but it does indicate that you should take a closer look at the permissions the app is requesting. Tapping on any of the app icons in the report opens up a new page which lists all the permission an app has. While it makes sense that your SMS app will have access to your messages and contacts, be wary if a random game requests the same permission.


TruePlex looks and feels like something hacked together over a weekend. The app basically has a single screen, and all it does is prepare a report of the permissions that apps installed on your device have. Quite appropriately, TruePlex itself doesn’t request any special permission. This will perhaps instantly make it As soon as you hit the “Let’s Go” button, you are taken to your web browser, where your report is displayed. You also have the option of creating an account on the TruePlex website. This will allow you to compare you device score with other users.


To be fair, the app is very basic, the report is ugly, the website is buggy, and there’s still a lot of work to be done. The database is still small, and not all of your apps are rated. I’m sure that if it gains popularity, we’re going to see a lot more polished app in the coming weeks. I’d definitely want to see it automatically figuring out what permissions my installed apps have, and generating a report even if the app isn’t in the TruePlex database. Nevertheless, the app is already quite useful and worth a download. The app is essentially similar to BitDefender’s Clueful app. However, TruePlex is a lot more lightweight, and requires no permissions for itself. On the flip side, the report lacks the succinct one line summary that Clueful provides.

[ Download TruePlex ]

The Heartbleed FAQ – Everything You Should Know About It

Heartbleed The interwebs is awash with reports and speculations about the Heartbleed. Post-Y2k it’s difficult to recall any occasion when a security vulnerability managed to gain such widespread attention. But, exactly what is Heartbleed? Here’s a quick summary of everything you need to know about Heartbleed.

What is Heartbleed?

Heartbleed is a critical vulnerability in the OpenSSL library. The official designation of this bug is CVE-2014-0160. SSL stands for Secure Sockets Layer and is a standard security technology for establishing an encrypted link between a web server and a browser. This bit of technology essentially ensures that no one can peek into the data sent between you and the webserver. Every website with an URL that begins with https:// (often indicated by a padlock in your browser’s address bar) uses SSL to keep data, including the authentication information that you key in, private. OpenSSL is an extremely popular open source implementation of this protocol.

Heartbleed is a bug in the OpenSSL code, which can be theoretically be leveraged by an attacker to gain access to data transmitted between you and the webserver. This means that theoretically the attacker can see all of the data that you enter into an affected website, including your username and password. There has also been speculation that the bug can enable the attacker to gain access to a server’s private key. This would essentially allow the attacker to impersonate any web service and conduct MTM (man in the middle) attacks. This would force every affected website to revoke and reissue their certificates. However, there’s still debate about whether this worst case scenario is possible or not. CloudFlare has declared that after extensive testing it has been unable to grab private SSL keys by exploiting Heartbleed.

Update: The CloudFlare challenge has been cracked. So, it’s possible to access a server’s key with this exploit.

How did this happen?

Contrary to the conspiracy theories buzzing around the social media websites and discussion boards, there is a very simple explanation behind how the Heartbleed vulnerability was introduced. It was a simple coder oversight.

The bug was introduced by Dr Seggelmann, a German contributor to the OpenSSL project. He was working on patching existing bugs and adding new features. Unfortunately, in one of the new features, he forgot to validate a variable containing a length. The same mistake was also overlooked by the code reviewer Dr Stephen Henson, and thus the bug made its way into the production code of OpenSSL.

How does this exploit work?

As mentioned earlier, the Heartbleed vulnerability is due to a missing validation on a variable size. One of the reasons why the bug has been named as Heartbleed is that it occurs in the heartbeat stage of the protocol. A heartbeat is essentially a technique that enables a computer at one end of the SSL connection to double check that the recipient is still alive. The following XKCD comic does a pretty good job at explaining the issue in simple terms. Essentially, the hearbeat mechanism sends a key and requests a response from the recipient to confirm that the recipient is still active. However, the length of the request isn’t validated. So, you can send a key that is just 3 characters long, but request an acknowledgement that is up to 65536 characters long. Since, the server isn’t checking the length of the response requested, it would send you all of the requested characters, which will include whatever characters that are stored in the memory after your key. With some luck and persistence, you can exploit this oversight to gain access to confidential information.


Who discovered it?

The Heartbleed bug was introduced two years ago; however, in a strange co-incidence, it was discovered and reported by two parties on the same day. One of those parties was Google’s Neel Mehta, who quietly reported the bug to OpenSSL. The other party was a Finnish security research firm called Codenomicon. Realizing that the discovered bug was extraordinary in its impact and severity, Codenomicon decided to create a campaign to make sure everyone took notice of the issue. They registered the domain, came up with the compelling name, designed a logo, and created the initial narrative. Both researchers collaborated with OpenSSL to ensure that the vulnerability wasn’t disclosed before an official patch was released.

What can you do?

To be honest there isn’t much you can do. A fix for the vulnerability has already been issued by OpenSSL. Most major websites, including banks and other financial service providers, have already updated their OpenSSL installation. Given the massive publicity this bug has received, it’s likely that most websites will implement the patch in the coming days. Mashable has published a massive list of popular websites affected by this vulnerability. It’s wise to change your password at any website that was affected by the bug, but you should do so only after that website has patched the vulnerability. Otherwise, you risk exposing yourself further. As always, folks using unique passwords are considerably safer.

Lastpass, one of the most popular password managers, has updated its Security Challenge tool to include Heartbleed related information. It automatically scans websites in your vault and lists all the websites that have been affected. It also lets you know which websites have been patched, so that you can go ahead and change your password.

India’s CLAT Exam Leaks Applicant’s Emails, Leads to Phishing Scam

CLAT-Law-Exam-IndiaPrivacy and internet aren’t exactly best friends. In fact, it might well be better to assume that as long as you are on the web, you will suffer from an unexpected privacy breach sooner or later – whether it is due to your own naiveté or due to third party security mishaps. However, that doesn’t make irresponsible, careless, and purposeful data leaks any less aggravating. Today’s offender is CLAT or Common Law Admission Test.

CLAT is a fiercely competitive centralized test for admission to prominent National Law Universities in India. Last month, CLAT closed its application procedure. Soon after, in an amazingly dumb headed move, it mailed all applicants a PDF titled “3. Online Applications (UG) Submitted till 30th March 2013”. Here’s a look at its content.


Yes, someone in CLAT thought that it was perfectly appropriate to dispatch the full list of more than eighteen thousand candidates along with their email ids in a PDF. Now I understand that CLAT probably has more lawyers than technically minded folks, but it’s shocking that no one in its technical team acted to stop this amazingly boneheaded move. For good measure, CLAT also uploaded this document to its website (where it is still available).

Now, an email address isn’t very high on the list of sensitive information. However, in the wrong hands it can be misused. And, misused it was. Over the past few weeks, candidates listed in the document have been receiving mails appearing to be from [email protected], claiming to be sent by Dr. Dipak Das, Registrar In-Charge of Hidayatullah National Law University, Raipur and the Convenor of CLAT-2013. The mails ask the Candidates to immediately deposit Rs. 2000, in order to avoid cancellation of their application due to non-payment of fees. Considering the state of the candidates mind, and the relevance of the message, it’s not surprising that many have fallen victim to the phishing scam. Thankfully, the scammer in this particular case was naïve enough to demand a money transfer to an SBI (State Bank of India) account, which should be easily traceable. CLAT might not have a lot of technical expertise or common sense. However, one thing it does have is access to plenty of lawyers. Unsurprisingly, CLAT-2013/Hidayatullah National Law University, Raipur, is taking necessary legal steps.

(hat tip: Sameer Gupta)

Movie Rental Site Vudu Suffers Break-in; Customer Data Stolen

Wal-Mart owned movie rental/purchase site has become the latest victim of data breach. But unlike some of the previous attacks, Vudu data breach didn’t involve any remote hacking attempts.

Some lawbreakers broke into Vudu’s office and stole a number of items including hard drives. Unfortunately for its users, the same hard drives contained usernames, passwords and the last four digits of credit cards of some customers.

Vudu has sent out emails to all affected users urging them to reset their passwords. They have also released a press release which is provided below.

On March 24, 2013, there was a break in at the VUDU office and a number of items were stolen, including hard drives. These hard drives contained customer data including names, email addresses, mailing addresses, account activity, dates of birth, and encrypted passwords, but NO full credit card numbers. We are proactively retiring and resetting all passwords and notifying all customers. As another level of protection for customers we are also providing AllClear ID identity protection services. We reported the theft to law enforcement immediately, and are cooperating fully with their investigation.

Luckily, Vudu doesn’t store full credit card numbers of its users. Hence the damage was greatly reduced. So, if you are a Vudu customer, we strongly recommend changing your password as soon as possible. Also, if you have used the same password for some other service(which is actually a very bad idea), please change those passwords as well.

LG Smart World Hacked, User Information Leaked

A hacker going by the Twitter handle @Ur0b0r0x has breached LG Smart World, and leaked email addresses and password hashes of 11,316 users [Please see update below]. Smart World is LG’s official app store, providing apps for smart TVs, smartphones, and home appliances. The same hacker had earlier hacked 32 websites belonging to the Government of Columbia.


The hacked data dump has already been indexed by OZ Data Centa. If you want to find out if your info has been leaked, head over to and search for your email address. According to OZDC, the leaked information contains 11203 valid emails, out of which, 284 had already been compromised by some other data breach incident. Thankfully, LG was not storing passwords in plain text. However, I am not sure exactly what hashing algorithm it was using. If your account has been affected, immediately change your password on Smart World as well as all other websites on which you were using the same password.

Nothing on the internet is truly secure. Data and privacy breaches are often inevitable. However, you can avoid being burned by being prepared for the worst case scenario. Some of the elementary precautions are:

  • Using distinct, non-guessable, and non-dictionary word passwords. You can use a password manager like Lastpass to manage your various accounts.
  • Enabling two-step authentication on services like Gmail that supported it.
  • Using a truly secure secret question for password reset options.

Update: LG spokeperson reached out to us stating that LG has been unable to verify a breach. “Äs far as we know, no private or sensitive information has been accessed”, he added.

Top Passwords of 2012

Halloween is fast approaching, and if you don’t want to deal with a security nightmare, it might be prudent to take another look at your passwords. Earlier in the year, I had shared with you a list of 25 Passwords and ATM PINs You Should Never Use. Now, here is another similar list. This one comes courtesy of Splashdata and contains the most common passwords compiled from files containing millions of stolen passwords posted online by hackers.


Passwords like password, 123456, abc123, and qwerty once again top the list. There are some new entries into the list like welcome, jesus, ninja, mustang, and password1. However, most of the passwords in the top 25 are carried over from Splashdata’s previous year’s list. The infographic above shows the top ten passwords. You can find the full list of passwords that you should never use over here. As always, if you truly want to remain secure you should avoid using guessable passwords (like your birthday) and hints, and use distinct passwords. Remembering several dozens of unique passwords is not an easy feat; hence, you can rely on tools like LastPass to generate and remember passwords for you.

Facebook Apps Harvest and Sell Private Information in the Open Market

It’s often said that if you are not paying for something then you are the product. The reckless abuse of privacy information by millions of free apps available in various repositories regularly drives home this point.

Bogomil Shopov stumbled upon a deal selling more than a million Facebook profiles, each of which accompanied with the name and email address of the user, for only five bucks. Although he didn’t specify the source, it is probably the GigBucks listing pictured below. According to the offer description, the list consists only of active Facebook users, mostly from the US, Canada, UK and Europe. The data was harvested through Facebook apps.


An opt-in list with a million verified email addresses and names would have easily fetched hundreds of dollars in the decade gone by. However, now, it’s available for just five bucks. That in itself suggests that perhaps lists like these are not all that rare or difficult to find. Social media services like Twitter and Facebook have dramatically lowered the expectations of privacy among users. Most people will think twice before signing up for a dicey looking website, but will not hesitate to sign in through Facebook to play a quiz or take an IQ test. A little bit of carelessness and a little bit breach of trust is all it takes for your name to appear in a list like this.