Tag Archives: Security

Andrognito Can Encrypt and Hide Any File on Android

Everyone has something to hide. With smartphones becoming deeply integrated with each and every facet of our life, it’s only but natural that they’d contain sensitive data. And, as the recent iCloud breaches have shown us, some times it’s better to have private stuff on your device and within your control, instead of cloud storages that can be hacked remotely.

lock

Andrognito is an Android app that can hide and secure any file on your Android smartphone. The developer — Aritra Roy from Kolkata, India – named the app as a fusion of the words Android and Incognito. The app applies a 3 step process to hide and lock your files –
i) It randomly assigns a new name to the file and appends a period (‘.’) to the beginning of the file name to prevent it from being indexed by Android media library.
ii) It places the file in a wrapper called ADG container, and encrypts it using AES-256.
iii) It applies a strong password to the container, and renames it once again.

The algorithm used by Andrognito is device specific, so simply copying the Andrognito container (.adg) to a different device won’t work. However, on the same device, Andrognito encrypted files can persist through factory resets and rom changes. The only catch is that you shouldn’t delete the ADG files and the “Andrognito/Backups” folder.

Andrognito -Setup Page
Andrognito -Setup Page

Andrognito is pretty straight forward to use. You are presented with a brief tutorial slide when you launch the app for the first time. After that you are presented with the File Explorer, which allows you to select files that you want to hide. Applying AES encryption makes the file almost impossible be crack. However, it can take a fair amount of time. Hence, Andrognito also has a Flash mode, which skips the encryption, and simple repackages your content to hide it from your file manager. However, files in this mode may be viewable in other apps. Files hidden by Andrognito can be accessed from the ‘Files’ tab in the app. If you end up hiding a lot of stuff, you will find ability to filter based on file-type and add to Favourites certain files handy. Andrognito app itself is protected by a 4-digit pin.

Andrognito - Guide
Andrognito – Guide

The app has a couple of other tricks in its sleeve. The first of them is a fake Vault. You can set a dummy pin, which when entered will open a fake vault (with 0 files). This can obviously be handy if you have a particularly nosy significant other or parents. The other neat feature is to hide Andrognito itself. If you turn on the Invisible mode, the app will be removed from the app drawer. You will be able to launch it only by dialling your pin from the phone dialler. The app also prevents brute force attacks by automatically locking itself for 15 minutes after 3 failed attempts.

Andrognito - Select Files
Andrognito – Select Files

Andrognito is currently in beta, but worked without a hitch for me. Go ahead, and take it for a spin. There are other similar apps, but Andrognito strikes a nice balance between simplicity and security, and is completely free.

[ Download Andrognito ]

[ Image courtesy Scott Schiller ]

PasswordDay.org helps consumers protect personal information online

As part of World Password Day earlier this week, McAfee and its partners started an effort to help educate consumers worldwide on the importance of password safety in the wake of the multiple global security breaches. Continue reading PasswordDay.org helps consumers protect personal information online

How to Encrypt and Password Protect Your Gmail Messages

In light of the currently en vogue privacy debate raging all around the world and given the flippant stance of many of our often used communication platforms with regards to securing its users’ privacy, it is becoming more and more evident that if the user wants privacy online, he’ll have to snatch it, for it won’t be easily given.

Talking of communication, email comes to mind. Privacy begins with encryption. And encrypting email isn’t exactly an easy task. It is at best annoying. At worst it can be so cumbersome that most people don’t bother. You can use desktop clients and PGP keys, like Lifehacker details. The annoying procedure of making and handling security keys is also mentioned by Arstechnica here in its editorial about why most people don’t bother encrypting email.

So what do you do if you don’t want peeping toms and evil governments looking into your email? The best idea would be to go stone age and use smoke signals, but of course, we’re discussing technology here and I digress. A rather simpler alternative would be to encrypt the email text and share the password via other means. This is what the ingenious Google Chrome extension SecureGmail aims to do.

SecureGmail Encrypt Email

Let’s discuss the pre-requisites here before we begin encrypting our Gmail messages! You and your message recipient both will need the following:

  1. Gmail accounts
  2. Google Chrome
  3. The Chrome Extension SecureGmail 

What does the extension do? The extension will create a new button beside the usual Compose red button. When you click on it, the new mail window box appears but this one is different from the vanilla compose box as whatever you type in here won’t be saved to Google’s servers. For the technically curious, SecureGmail uses an open source JS crypto library from Stanford available here.

SecureGmail

On completing the message, click the Send Encrypted button. You’ll be asked to set a password for the message as well as a password hint. Your recipient will only see the password hint. If he doesn’t have the extension installed, he’ll see a link to install it. Otherwise, the password can be input right away and the email decrypted.

Only the encrypted copy is saved on Gmail’s servers. If you check your Sent items folders, you’ll see something like this.

SecureGmail

The success of this method obviously assumes that you’ve sent your password to your recipient successfully via other means. Maybe it’s the first word on the 37th page of a certain book, maybe it’s an irrelevant word written as graffiti somewhere. Sci-fi movies will give you enough ideas to supply a hint.

What to do if you want to encrypt text with a password but don’t want to use a chrome extension? Googling for “encrypt text” will give you a slew of options.

Interested in encrypting more kinds of files? Learn about the different tools we’ve written about here and here.

Is Nokia Hijacking Your Phone’s Browser Traffic?

Two days ago, security professional Gaurang Pandya made an interesting discovery about the browser that comes bundled with the Nokia Asha 302, or pretty much any Nokia feature phone. The browser uses a proxy to route its traffic instead of hitting the requested server directly. This led many people to believe that Nokia is performing a MITM attack on their connection. Now, it would be wrong to refute those claims, because this indeed is a MITM technically. However, it is too early to jump to conclusions here.

Nokia-logo

Nokia uses its Nokia/Ovi proxy servers pretty much the same way any other browser manufacturer uses its proxy servers — for transcoding, resulting in data compression and faster browsing. Amazon’s Silk browser does it, Opera Mini does it, but with a slight difference. Others, who do it, are not handset manufacturers. Nokia, on the other hand, is a handset manufacturer and this allows it to proxy HTTPS connections as well. So, how does this work?

Nokia has control of your device (at least during the manufacturing process), and it cunningly includes a fake certification authority (CA) on your device. With this fake certificate issuer on your device, the proxy server can now decode your data because it is signed with a public key for which, the proxy server will have private key [Public Key Cryptography]. The proxy server in turn sends the data to the actual server, only this time, signing it again with a certificate issued by a proper CA. The outcry in this case was that HTTPS connections could also be hijacked by the proxy servers at Nokia, which is not possible with Opera Mini or other browsers that use proxy servers.

So, is there reason to be worried? Of course there is. However, is there reason to blame Nokia? No. There is just reason enough to ask better questions, like how secure are these proxy servers?

BLAKE2: Bid Farewell to MD5

Over the last two years, a number of hacker collectives have successfully ridiculed existing cyber-security measures and this has brought up the need for a major overhaul in security. MD5, which is the most abused hashing technique, is over two decades old now, but it is still in use at many places, mostly because it is part of some legacy code that was never changed. The world of cryptography has taken the next step to security as BLAKE2 is here.

BLAKE2 is the advanced version of the BLAKE algorithm, which was a finalist in SHA3. The official page for BLAKE describes it as,

The cryptographic hash function BLAKE2 is an improved version of the SHA-3 finalist BLAKE. Like BLAKE or SHA-3, BLAKE2 offers the highest security, yet is fast as MD5 on 64-bit platforms and requires at least 33% less RAM than SHA-2 or SHA-3 on low-end systems.

While BLAKE2 is advocated as being a secure hashing function, it is also as fast as MD5, which might be a reason for concern, but the developers of BLAKE2 have said on their mailing list that BLAKE2 has better security and at-par performance with MD5. From what it seems, they are proposing BLAKE2 as a viable alternative to MD5. The use-case for BLAKE2 is not replacing the existing Keccak algorithm for SHA3.

Many a times, people stick to MD5 for a performance benefit. With its superior performance and better security, BLAKE2 will be a nail in MD5’s coffin.

Security Hole In Samsung Exynos 4 Devices Discovered; Allows Root Access And Access To Physical Memory Via An APK

Some of the developers over at XDA forums have discovered a very serious security exploit in all Samsung devices powered by the Exynos 4xxx SoC. The exploit can allow a malicious app to easily root gain access to the RAM/physical memory of your device. This can lead to some serious implications including an app stealing all your data, or put your device in an endless reboot.

The list of affected devices include all Samsung devices powered by the Exynos 4 SoC including the Galaxy S2, Galaxy S3, international Galaxy Note, Galaxy Note 2, the Galaxy Tab 7.7 and the Galaxy Note 10.1.

Many of the developers in the Android community have already informed Samsung about the exploit, and the company should hopefully come out with a fix soon.

The plus side of this exploit is that it also allows advanced users to gain root access to their Samsung device without using ODIN. Chainfire, a very renowned Android developer, has already released an APK – ExynosAbsue – that allows owners of affected devices to easily gain root access on their handset.

Supercurio, another popular Android developer, has released an APK that fixes this vulnerability. However, fixing the vulnerability might break the front camera on your device which might be a deal breaker for many.

Via – XDA

Government Surveillance Grows by 25% over the Last Year

Google is reporting a serious rise in government surveillance over the last year. This rise can be attributed to the rapidly evolving political, economic and military scenario all over the world. The news has been posted on the Official Google blog, and the graph suggests an accelerate rise over the last year. In its sixth Transparency Report, Google has publicized the number of Government requests made over the last six months, and taking this into account, there has been a total increase of 25% over the last year.

user data

The data shared by Google as part of these requests, includes,

Most of these user-data requests come from The United States, India, Brazil, France, The United Kingdom and Germany. However, while Google complies with over 90% of all these requests from the United States, the compliance for other countries ranges between 40% and 65%.

Two trends are evident from this report. First, the US government has stricter controls over Google and can demand (and eventually get) more amount of data out of it, than other countries. Second, the same set of six countries has always dominated the top user-data requester positions. Not to mention, many of these countries have had either political or economic tensions in the recent past.

If the Government wants user data so badly, there has to be proper accountability. This is exactly the kind of big-brother surveillance that people resent, and guess what! It has never been easier for the Governments, with all these online services curating more data than ever available earlier.

The only solution to this problem is that any online service storing user-data must encrypt the data using a key that is exclusive to the user and is his private property. Proper information for using this private key should be include in the privacy policy, and all users whose data is being requested be intimated well in advance, so that the choice is theirs whether to give up the data, and not of the company holding the data.

Facebook Glitch Exposes User Accounts

A serious flaw has been discovered that allowed anyone to basically login to other’s Facebook account without the need of a password.

The flaw, which was posted on The Hacker News website, uses a search string. When you google this search string, around 1.34 million results of different Facebook profiles are obtained and when you click on some of the links, you will automatically log in to the profile associated with that particular link.

The flawed links are the ones that are mailed to users to notify them of comments or other notifications. These are designed to help users to respond quickly to those notifications without having to login. Those URLs are designed in such a way that they will only work once, Matt Jones, a Facebook engineer said in a comment made at the Hacker News.

For a search engine to come across these links, the content of the emails would need to have been posted online.

Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible.

Facebook has now disabled the feature to protect its users and is helping exposed users with securing their accounts. Most of the exposed users are said to be from Russia and China.

U.S. Intelligence Report Suggests Cutting Ties with Huawei and ZTE

A U.S. House of Representatives intelligence report suggests the U.S. should cut off relations with two of China’s top telecom manufacturers Huwaei and ZTE. It particularly states that neither company should be allowed to merge with any U.S. based telecom company. The recommendation comes after nearly a year long investigation into corporate practices of the Chinese based companies amid concerns of espionage and illegal activity.
House Intel Logo

Congressman Mike Rogers of Michigan, who is also the chairman of the U.S. House Intelligence Committee, laid out the details accusing Huawei and ZTE of being uncooperative and not forthcoming with requested documentation. According to the report, the investigation into these companies began in February 2011 when Huawei “published an open letter to the U.S. Government denying security concerns with the company or its equipment, and requesting a full investigation into its corporate operations.” By November 2011, the U.S. House acted on that request and began to investigate potential security risks posed by doing business with the Chinese companies. There is growing concern that the Chinese are interested in accessing U.S. infrastructure for the purpose of espionage. Below is a quote from the Executive Summary section of the report that lays out many of the concerns:

Prior to initiating the formal investigation, the Committee performed a preliminary review of the issue, which confirmed significant gaps in available information about the Chinese telecommunications sector, the histories and operations of specific companies operating in the United States, and those companies’ potential ties to the Chinese state. Most importantly, that preliminary review highlighted the potential security threat posed by Chinese telecommunications companies with potential ties to the Chinese government or military. In particular, to the extent these companies are influenced by the state, or provide Chinese intelligence services access to telecommunication networks, the opportunity exists for further economic and foreign espionage by a foreign nation-state already known to be a major perpetrator of cyber espionage.

Huawei’s vice-president, William Plummer, said the latest accusations were “dangerous political distractions”. According to a BBC article, Huawei was started by a former member of the People’s Liberation Army. It also reported that U.S. based Cisco Systems cut ties with ZTE after it allegedly sold U.S. equipment to the Iranians which is a clear breach of U.S. sanctions.

The report outlined several recommendations from not allowing any ZTE or Huawei systems to be used in any government facility to warning U.S. businesses about the unfair businesses practices of these companies, particularly intellectual property. All of this comes about at a time when relations with China are already strained due to the Presidential election. Many Americans feel the government needs to do more about China’s unfair trade practices.

For more information and to see the full report, visit http://intelligence.house.gov/.