The Role Human Error Plays When Encrypted Communication Apps Are Compromised.

Encrypted communication tools and software have seen a steady rise since the many surveillance revelations that were exposed by whistleblowers, such as Edward Snowdon. The notion of encrypting your emails, web browsing history and even phone calls have led to a battle over security vs state monitoring, but, what are the weaknesses within these various encrypted apps? A new study has found that we humans often compromised our own anonymity.

The observation in question was discovered by researchers at the University of Alabama who performed a study that “Mimicked a cryptophone app”. These apps including Signal may ask both parties who are either texting or calling to “verbally compare a short string of words they see on their screens which is often referred to as a checksum or short authentication string”  This is with the aim of ensuring that a new communication session has not been intercepted by a third-party, if it has, the words will not match up and thus it is not secure.

Sounds secure, the study has found that the flaw lies in many cases with human error itself, let me explain. Researchers designed the aforementioned mimicking of a cryptophone app before asking participants within the control group to use a web browser to make a call to an online server. They were then asked to listen to a random two or four word sequence before determining if it matched the words they saw on the computer screen in front of them. The control group were also asked to determine if the voice they heard was the same as one they’d heard previously reading a short story.

Researchers found that the study control group would more often than not accept calls when hearing the wrong sequence of words and reject calls when the sequence was transmitted correctly. It was also found that a four word checksum decreased the overall level of security when it should in theory increase it. To put it into perspective, out of 128 participants, an incorrect two-word string was accepted 30% of the time, while the same level two-word string that was spoken correctly was rejected 22% of the time. Four word strings had even worse results with incorrect strings being accepted 40% of the time while rejecting ones that were in fact correct 25% of the time.

A possible cause could lie in the fact that these words are random and not easily placed in a sentence, therefore, we humans tend to zone out and therefore lose concentration, the result could be that we think we hear something which is in fact incorrect or vice versa.

It’s an interesting experiment which could lead to better development of apps that aim to keep conversations secure.

GCHQ Claims Longer Passwords Are Unnecessary

GCHQ is a government body which monitors communication in the UK and protects the security of its citizens. While the organization remains fairly aloof, it has come under a great deal of scrutiny in lieu of the Edward Snowden revelations. GCHQ and the Centre for the Protection of National Infrastructure compiled a report entitled “Password guidance: simplifying your approach”. This piece of documentation recommends users to opt for a password manager instead of long and overly complicated passwords:

“Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users.”

Although, professional hackers are still capable of infiltrating any kind of software:

“like any piece of security software, they are not impregnable and are an attractive target”.

Nigel Hawthorn from security company Skyhigh Networks argued:

“The security industry is awash with password advice, but much of it is contradictory or simply not suited to modern working. The result – passwords still puzzle many. GCHQ’s latest advice is refreshingly to the point and covers some of the most pressing issues facing UK businesses and employees today.”

The question is, do you trust GCHQ’s advice given their less-than-admirable behaviour in recent years? Ideally, you should set a different password for each service to avoid every aspect of your being disrupted during a hack. Although, it can be quite difficult to remember passwords as various sites set specific stipulations for the characters used. Hopefully, fingerprint recognition and other methods will replace passwords in the near future.

Thank you The Guardian for providing us with this information.

See How Many Popular Apps Failed to Protect Your Password

When using an app developed by a big company, you might think that it is trustworthy and ensures your security and privacy. Well, a recent test proved how easy and vulnerable a lot of popular iOS and Android apps are to crack and have your passwords nabbed.

According to security firm AppBugs, a huge number of popular apps are allowing users to make a large number of login attempts without any type of restrictions. Why is this so important? Well, hackers may as well try to guess your passwords this way. There are a lot of methods involving apps that can randomly generate and test passwords, and since we are talking about mobile devices, I don’t think people will use something they can barely remember, yet alone type, as their passwords.

AppBugs found that out of 100 apps, 53 were found vulnerable. Apps such as Songza, Pocket, Wunderlist, iHeartRadio, WatchESPN, Expedia, Dictionary, CNN, Domino’s Pizza USA, Zillow, AutoCAD 360, Slack, SoundCloud, Kobo and Walmart are just a few of the one found. The security firm gave the developers 30 days to fix the issues, but only a couple of the latter mentioned apps were actually patched. The full list of vulnerable apps will be revealed on the 30th of July, according to AppBugs.

If you wish to protect your data further, users are encouraged to start considering using apps that manage all your stored passwords if you forget them, or even activate 2-factor authentication in apps, if it’s available.

Thank you 9to5mac for providing us with this information

FIDO United! More Backers Emerge for Removing Passwords

Everything you do online, and sometimes offline relies on you remember a string of characters, numbers and even symbols sometimes. These can be anything from your pet name, to something randomly generated by a program you’ve downloaded or even made yourself. These come with two down sides; first you have to create something which other people can’t easily guess, find or generate. The second, however, is remembering them, with a long combination spanning from the left-hand side to your right-hand side of your keyboard the problem quickly becomes “shoot did I put that as a capital or not?”. FIDO hopes to do away with that.

FIDO stands for Fast IDentity Online. They were formed in 2012 as a non-profit focused on addressing the issue of online authentication, how someone gives permission and proves they should be allowed to, for any action you do online. With technology ranging from fingerprints to turning keys and phones into ‘keys’ for your computer, FIDO hopes to bring together the different technologies and companies to provide easy access to everyone for online authentication. One of these methods is the USB key lock, designed to replace the two-factor authentication (when after the initial request to do something, you receive a text with a code to state that it was you that requested the action) used by Google.

It would seem that not only large companies are interested in the idea though, with the likes of Google, Microsoft and Apple being joined now by the UK’s Office of the Cabinet and the US’s National Institute of Standards and Technology. With the government bodies now taking part in FIDO, they will have an impact on how steps are taken to allow fast, password-less authentication online.

Everyone is annoyed by passwords on the odd occasion, and the concept behind easy to use authentication would save a lot of people a lot of hassle, especially when you find out your account’s have been hacked (something biometric security measures are looking to reduce) and you’ve lost access to your level 80 Warlock Sharman.

Thank you Engadget for the information.

Image courtesy of Shutterstock.