Chapter Author
Contact Graeme
Journalists, students, potential clients or anyone else email.......
graeme@datasecurityexpert.co.uk
Something private to say?
PGP public key
graeme@datasecurityexpert.co.uk
Something private to say?
PGP public key
WhatsApp privacy & security and the terrorist attack on Westminster
Founded nine years ago as a “geeky” technology messaging start-up, now it is possibly the largest smartphone internet messaging app out there. With a lot of post 2000 tech start-ups, security is barely on the release checklist. Why? Because it would delay or totally stop a release due to cost and resources. Very few apps, services or IoT devices have security embedded from the ground up. With WhatsApp, security was bolted on over the years and it has had a number of security scandals to date.Facebook who themselves do not have the best of privacy reputation now own WhatsApp which means it needs to make money somehow. Security was an afterthought like with many other companies. End to end encryption was only released a year ago and it is automatically transparent to users. What does this mean? The user does not have to switch it on, enter a password or generate an encryption key (and exchange). Nice this may sound but it reduces privacy since everything is handled non-transparently behind the scenes by WhatsApp.
Email borne malware: if the majority of burglars came through your front door, wouldn’t you focus protection on that entry method?
Most attacks physical or virtual do come through obvious entry vectors. Take home break ins, 34% come through the front door and that is why people look at reinforced doors, door sensors, PIRs, home alarms and multiple locks. Why bother smashing the windows which could result in getting yourself cut, DNA left or making a noise when you can pick the lock or if you are really lucky find a door not locked?The virtual world is no different, attacks are not as advanced as you imagine and with anything, people go for the easiest route in. Look at well known attacks dating back six years or so; RSA, Target Corporation, Sony Entertainment and the Ukrainian power grid, they all have something in common, most sources say the breach started off with a seemingly innocent email with a malicious attachment.
Whitelisting: there is more to it than just blocking or allowing applications
Technical control wise it is one of the strongest yet it is often not used or people simply use it for controlling applications (software). Many people argue against it since it is expensive, fiddly to install and maintain. Defence wise it can stop unknown malware from executing and installing or stop users installing unlicensed software thus saving disputes. Whitelisting can be applied to almost anything which we will explore later.What is wrong with blacklisting you may ask? It effectively permits 99% of the World Wide Web (or software) and a blacklist tries to block the 1%. The 1% will change by the second and no service or product can ever keep on top of it. Antimalware companies run hours or days behind. Spear phishing websites may only exist for minutes or hours. Take a white-collar criminal for instance, you cannot profile one as the following: 42 years old, navy stripped jacket, reddish tie, cufflinks, gold watch & jewellery, illicit white powder on the table and surrounded by woman. If you have not worked it out yet, this is DiCaprio in Wolf of Wall Street. Trying to block the 1% does not simply work and products cannot profile as profiling does now work.
Page 22 of 58