How to watch UK TV channels from abroad?

How to watch UK TV channels from abroad?

You are traveling outside the United Kingdom or you live outside the United Kingdom, and you do not want to miss out on your favorite TV shows from the United Kingdom. Normally, when you would try accessing UK TV channels on Internet, either through BBC iPlayer, TVplayer or any other website streaming UK centric TV shows over the Internet, you would not be able to access the content on such applications because of geo-restrictions enabled on them. That means, the content on these media streaming applications is accessible only when you are living inside the UK and it blocked when you try to access from anywhere else outside the UK region.

BBC iPlayer is a popular Internet based media streaming service by BBC – British Broadcasting Corporation. BBC iPlayer hosts a number of UK TV shows, movies, music videos, sports events, and more. BBC iPlayers supports media streaming on a number of devices – Smart TV, Laptops, Smartphones, etc.

When a user tries to access BBC iPlayer from countries other than the UK, he’s unable tto view the content due to geo restrictions enabled on it.

Below screenshot shows the error you would get when you normally try and access BBC iPlayer from outside the UK.

How to unblock and access BBC iPlayer from outside the UK?

There’s a good news for those who would want to watch media content on BBC iPlayer from outside the UK. Here we would explain a method that allows you to bypass geo restrictions and watch your favorite TV shows on BBC iPlayer.

Follow the below simple steps:

1. Get B1-Router
2. Setup B1-Router as per the instructions supplied
3. Connect you Smart TV (or any other device) to B1-Router
4. Login to B1-Router’s Administrative Panel
5. Navigate to Country Gateway tab, select ‘United Kingdom‘ as a country, and confirm it.
6. Wait for a few seconds for the connection status to change and reflect your IP address as a UK based IP address.
7. Visit BBC iPlayer application or website, and watch your favorite TV shows.

B1-Router masks your original IP address and assigns you a UK based IP address, thereby enabling you to access BBC iPlayer easily. B1-Router circumvents the geo restrictions on BBC iPlayer and allows you watch media content on it, outside the UK, from anywhere in the world.

Below screenshot shows BBC iPlayer working outside the UK, unblocked with B1-Router.

How to unblock TVPlayer outside UK and watch TV channels?

TVPlayer is an Internet-based live TV streaming service for users to watch free-to-air channels through their Smart TV, laptops, smartphones and tablets. The TV service allows television licence holders in the United Kingdom to stream 78 free live television channels, including BBC, ITV, Channel 4, Channel 5, Heart TV, Capital TV and The Box.

TVPlayer offers a “TVPlayer Plus” branded ‘no contract, cancel anytime’ monthly or yearly subscription service which allows consumers access to an additional 30 live streaming television channels, including Gold, Cartoon Network, Discovery Channel, Eurosport 1 and Eurosport 2.

TVPlayer makes it easy for users to watch various TV channels over Internet. However, TVPlayer is only available inside the UK whereas the content on it is blocked when a user is located in any other country outside the UK.

With B1-Router you will also be able to bypass the geo-restrictions on TVPlayer and watch a number of UK based TV channels from anywhere in the world.

Here is what you need to do inorder to access UK TV channels from outside the UK.

Follow the below simple steps:

1. Get B1-Router
2. Setup B1-Router as per the instructions supplied
3. Connect you Smart TV (or any other device) to B1-Router
4. Login to B1-Router’s Administrative Panel
5. Navigate to Country Gateway tab, select ‘United Kingdom‘ as a country, and confirm it.
6. Wait for a few seconds for the connection status to change and reflect your IP address as a UK based IP address.
7. Visit TVPlayer application or website, and watch your favorite TV channels.

B1-Router would unblock TVPlayer for users outside the UK and allow them to watch UK TV channels from anywhere in the world.

TVPlayer blocked outside the UK

B1-Router masks your original IP address and assigns you a UK based IP address allowing you to watch UK TV channels from anywhere in the world.

For more details about how B1-Router can help watch UK TV channels from abroad, please visit: http://www.b1router.com/en/b1-router-for-uk-tv-channels/

– Captain Krypto

Kryptotel is an IT Security Services and Product Development Company specializing in Cyber Security and Secure Communications. Kryptotel develops secure communication applications with strong encryption and security features. Feel free to consult Kryptotel for your cyber-security challenges. www.kryptotel.net.

Types of VPN

Types of VPN

VPN is a Virtual Private Network that allows a user to connect to a private network over the Internet securely and privately. VPN creates an encrypted connection, known as VPN tunnel, and all Internet traffic and communication is passed through this secure tunnel. Thus, keeping the user data secure and private.

There are two basic VPN types which are explained below.

1. Remote Access VPN

Remote access VPN allows a user to connect to a private network and access its services and resources remotely. The connection between the user and the private network happens through the Internet and the connection is secure and private.

Remote Access VPN is useful for business users as well as home users.

A corporate employee, while traveling, uses a VPN to connect to his/her company’s private network and remotely access files and resources on the private network.

Home users, or private users of VPN, primarily use VPN services to bypass regional restrictions on the Internet and access blocked websites. Users conscious of Internet security also use VPN services to enhance their Internet security and privacy.

2. Site – to – Site VPN

A Site-to-Site VPN is also called as Router-to-Router VPN and is mostly used in the corporates. Companies, with offices in different geographical locations, use Site-to-site VPN to connect the network of one office location to the network at another office location. When multiple offices of the same company are connected using Site-to-Site VPN type, it is called as Intranet based VPN. When companies use Site-to-site VPN type to connect to the office of another company, it is called as Extranet based VPN. Basically, Site-to-site VPN create a virtual bridge between the networks at geographically distant offices and connect them through the Internet and maintain a secure and private communication between the networks.

Since Site-to-site VPN is based on Router-to-Router communication, in this VPN type one router acts as a VPN Client and another router as a VPN Server. The communication between the two routers starts only after an authentication is validated between the two.

Types of VPN protocols

The above two VPN types are based on different VPN security protocols. Each of these VPN protocols offer different features and levels of security, and are explained below:

1. Internet Protocol Security or IPSec:

Internet Protocol Security or IPSec is used to secure Internet communication across an IP network. IPSec secures Internet Protocol communication by authenticating the session and encrypts each data packet during the connection.

IPSec operates in two modes, Transport mode and Tunneling mode, to protect data transfer between two different networks. The transport mode encrypts the message in the data packet and the tunneling mode encrypts the entire data packet. IPSec can also be used with other security protocols to enhance the security system.

2. Layer 2 Tunneling Protocol (L2TP):

L2TP or Layer 2 Tunneling Protocol is a tunneling protocol that is usually combined with another VPN security protocol like IPSec to create a highly secure VPN connection. L2TP creates a tunnel between two L2TP connection points and IPSec protocol encrypts the data and handles secure communication between the tunnel.

3. Point – to – Point Tunneling Protocol (PPTP):

PPTP or Point-to-Point Tunneling Protocol creates a tunnel and encapsulates the data packet. It uses a Point-to-Point Protocol (PPP) to encrypt the data between the connection. PPTP is one of the most widely used VPN protocol and has been in use since the time of Windows 95. Apart from Windows, PPTP is also supported on Mac and Linux.

4. Secure Sockets Layer (SSL) and Transport Layer Security (TLS):

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) create a VPN connection where the web browser acts as the client and user access is restricted to specific applications instead of entire network. SSL and TLS protocol is most commonly used by online shopping websites and service providers. Web browsers switch to SSL with ease and with almost no action required from the user, since web browsers come integrated with SSL and TLS. SSL connections have HTTPS in the beginning of the URL instead of HTTP.

5. OpenVPN:

OpenVPN is an open source VPN that is useful for creating Point-to-Point and Site-to-Site connections. It uses a custom security protocol based on SSL and TLS protocol.

6. Secure Shell (SSH):

Secure Shell or SSH creates the VPN tunnel through which the data transfer happens and also ensures that the tunnel is encrypted. SSH connections are created by a SSH client and data is transferred from a local port on to the remote server through the encrypted tunnel.

To know how you can secure your communications using a dedicated secure phone, please visit www.kryptophone.ae. KryptoPhone is an encrypted smartphone for secure communications.

– Captain Krypto

Kryptotel is an IT Security Services and Product Development Company specializing in Cyber Security and Secure Communications. Kryptotel develops secure communication applications with strong encryption and security features. Feel free to consult Kryptotel for your cyber-security challenges. www.kryptotel.net.

Dedicated Secure Phone vs Secure Apps

Advantages of using a dedicated secure phone over app based solutions

In today’s world when surveillance has become a norm, and cyber attacks, data leaks frequently make it to news, it is important for government officials, top business professionals or any privacy-concerned user to protect their data and secure their communications.

Privacy-concerned users can secure their communication in two ways – using a dedicated secure phone and using app based solutions on their existing smartphones. Dedicated secure phones and secure apps enable users to secure different communication types – calls, messages, emails, etc. Users can download and install secure communication app on to their smartphones via app stores in order to carry out their communications securely. However, the users can still be at risk if their phones are not secure and encrypted. It is highly recommended that you use a dedicated secure phone to carry out secure communications to minimize the risk and increase the security level. In this article, we explain why using a dedicated secure phone has more advantages than using app based solutions on your phone.

Dedicated Secure Phone vs Secure Apps

Please read below the advantages a dedicated secure phone has over app based solutions:

Having a dedicated secure phone has higher level of security than app based solutions.

Smartphones are most common targets of mobile malware, so if your mobile device is affected with a malware then using app based solution on your phone makes no sense at all.

A malware affected phone can intercept messages, monitor calls, steal phone contacts, record browsing history, etc.
Cyber criminals and hackers use mobile malware programs to spy on target individuals.

Mobile malware programs usually find its way to a user’s less secure smartphone through third-party applications installed from the app stores.

Hackers with malicious intent can inject malware into app based solutions onto the less secure smarphone devices and other apps on the device to access data, steal passwords, etc.

Even if the user has secure communication app based solutions on his smartphone but his phone is affected with a malware, he is still at risk of being intercepted and his communication being leaked.

Some third-party apps also leak information about the user.

The dedicated secure phone is encrypted from the ground up, so your phone data cannot be illegally accessed or modified.

The dedicated secure phone has a disk encryption enabled by default which can be accessed only by a strong password.

The dedicated secure phone has secure communication apps preloaded and the user does not need to install any apps on his own.

The dedicated secure phone only contains authorized secure communication apps and doesn’t have any third-party apps installed.

The dedicated secure phone has all Google apps disabled including the PlayStore.

A user cannot install cannot install a third-party app onto his phone since the PlayStore is disabled.

All the above points indicate that a dedicated secure phone has more advantages over app based solutions.

Smartphone Malware

Smartphone Malware

Millions of smartphones have been found to be infected by malicious programs called malware. The average smartphone user is hardly aware of smartphone malware. It is a common practice that smartphone users are more concerned about the physical safety of the phone than a serious threat of a malware attack.

Smartphones are the most common targets of mobile malware and therefore, it is high time that smartphone users are educated about mobile malware programs and how to prevent the malware from attacking their smartphones.

A malware infected smartphone can cause a lot of problems for the user. Malware can slow down a phone’s performance, impact the phone’s data usage, intercept messages and monitor calls, steal phone contacts, track user’s location and movement, record browsing history, and more. Cyber criminals or hackers even use malware programs to spy target individuals.

When a phone is compromised, hackers can access all the sensitive information on the phone including the passwords, emails, messages, personal pictures, etc. Some malware programs even record and monitor online banking transactions of the user. Malware programs like ransomware lock files or even the device demanding user to pay money to allow access to device and files. Overall a malware can cause some serious threat to privacy and security of a user.

It is found that Android based smartphones are more affected by malware than Apple smartphones. Usually, a malware finds its way into the smartphone through third-party apps installed from the app store. According to the reports earlier this year, Android based smartphones of 39 brands were detected to have malware pre-installed on them. These included some high-end smartphones of popular smartphone manufacturing companies. It is believed that malware was injected into the devices somewhere in the supply chain.

Some abnormal signs and symptoms on the phone can help a user detect presence of malware on the smartphone. Some of these signs are mentioned below.

Unusually Bad Battery Life. When a user does not perform many battery draining activities on the phone but still phone battery drains out faster than usual and on a regular basis, indicates an unusual behavior. This unusual behavior of the battery is because of certain processes of the malware running in the background that drain out the battery.

Clogged Performance of the Phone. A malware infection may cause various performance issues which disrupt normal working of the phone. Hidden malware processes running in the background consume too much RAM or CPU load to let the phone and the apps function in a proper manner. This may even result in freezing of applications and the phone, due to which a user often has to hard reboot the phone. Clogged performance of the phone is a possible sign that a malware is present on the device.

Abnormal Data Usage. Some malware programs that steal the data from your phone to unknown servers can be detected by observing the phone’s data usage, upload and download patterns. Some smartphones also display data usage by apps, if the data is being used by some suspicious apps, it could be a sign that something is not normal with the phone.
Malware scans. A user can also detect a malware by scanning the phone using malware detection apps.

When a user finally detects the presence of malware, it is important to remove the malware and clean up the phone. Here are a few things that can help a user remove malware from the phone.

When a user has detected and identified the malware app on the phone, the first and foremost thing that needs to be done is delete the app or do a factory reset to clean up the phone’s memory if the malware infection has spread across the phone. In some cases when the malware is highly malicious and even the factory reset doesn’t help, the user needs to get the firmware of the phone re-installed. Frmware re-installation of the phone is done through a complex process called flashing which should be done only by authorized mobile technicians.

Hackers claim access to millions of iCloud accounts, demand ransom from Apple

Hackers claim access to millions of iCloud accounts, demand ransom from Apple

A hackers group calling itself ‘Turkish Crime Family’ has claimed access to over 500 million iCloud accounts, and has threatened Apple to wipe out these accounts if they do not pay a ransom amount.

The hackers group claims to have verified approximately 200 million of these credentials, providing access to iCloud accounts that have two-factor authentication security measure on.

The initial ransom amount demanded by the hackers was $75000 in cryptocurrency (Bitcoins), or $100,000 worth of iTunes gift cards. The ransom amount was later increased to $150,000. The group has said they would delete the compromised iCloud credentials only after Apple pays the ransom amount.

Apple has been given a deadline of 7th April 2017 for the ransom to be paid.

So far Apple has not paid the ransom amount, and has not officially confirmed the authenticity of the data claimed by the hackers. But Apple has categorically denied any security breach of its systems.

Here is what Apple’s official statement on the issue reads:

“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID,” the spokesperson said. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”

Kryptotel is an IT Security Services and Product Development Company specializing in Cyber Security and Secure Communications. Kryptotel develops secure communication applications with strong encryption and security features. Feel free to consult Kryptotel for your cyber-security challenges. www.kryptotel.net.

Top Cyber Attacks of 2016

Top Cyber Attacks of 2016

We live in a world where cyber-attacks, data leaks and security breaches quite frequently make it to the breaking news headlines! Government agencies, corporates firms and leading banks – all have had to deal with cyber-attacks in past. The year 2016 was no different and saw some of the worst cyber-attacks in the history. From influencing US Presidential elections to banks losing money, the year 2016 has seen it all.

Here is a summary of some of the biggest cyber-security attacks, breaches and data thefts that came into light in 2016.

US Presidential Elections – Leaked Emails

The year 2016 saw hackers get access to email communication between US Democratic National Committee’s (DNC – Democrats) Presidential candidate Hillary Clinton and one of her close associate John Podesta who was the chairman of Hillary Clinton’s election campaign. The leaked emails were later published by Wikileaks in the run up to the US Presidential elections and thus attempted at influencing the elections.

It is believed that in the run up to the elections, hackers had sent phishing emails to numerous members of Democrats and one such phishing email was also sent to John Podesta, the chairman of Hillary Clinton’s election campaign, asking John to change his password. John’s close aide spotted the phishing email and forwarded it to a computer technician who in turn, by mistake, flagged it as legitimate instead of illegitimate. This mistake led hackers access to over 60000 emails in John Podesta’s email account. The leaked emails were subsequently published by Wikileaks.

Philippines Voter Data Leak

Weeks before Philippines General Elections which were scheduled on May 9th 2016, the database of Philippines Commission on Elections (COMELEC) was breached and records of approximately 55 million registered voters were exposed and published in the public domain.

This was Philippines’ worst ever data leak that had put voters at risk and exposed registered voters’ data into public domain including their personal information, fingerprint data and passport information, etc.

A Philippines based hackers group called Anonymous Philippines claimed the responsibility of the hack, and voters’ data is believed to have been made public by LulzSec Pilipinas.

Multiple SWIFT Cyber Attacks

The year 2016 saw multiple attacks on SWIFT transaction software to steal millions from various banks across the globe. SWIFT or Society for Worldwide Interbank Financial Telecommunications is a global financial messaging system used by banks and other financial entities.

In February 2016, hackers took advantage of this SWIFT system and stole 81 million dollars from Bangladesh Central Bank.

The second, third and forth similar incident took place in May 2016 when hackers again abused the SWIFT system and attacked banks in Vietnam and Philippines. In June 2016, the fifth SWIFT hack incident happened when hackers stole 10 million dollars from a Ukrainian bank through SWIFT system.

Dyn DDoS Attack

On October 21st 2016 hackers launched a massive cyber-attack against US DNS service provider Dyn which caused a temporary shutdown of major websites including Twitter, Netflix, Amazon, Airbnb, PayPal, The New York Times, SoundCloud, Shopify, and many others.

The services to affected websites remained disrupted for almost an entire day and caused inconvenience to over a billion customers worldwide.
The hackers carried out this attack by compromising thousands of IoT (Internet of Things) endpoint devices using a special malware, making the devices behave like bots, which transformed into a bigger botnet and eventually caused a Distributed Denial of Service (DDoS) attack on Dyn servers.
Hacker groups like SpainSquad, Anonymous and New World Hackers claimed the responsibility for carrying out Dyn DDoS cyber-attack.

Yahoo! Twin Data Breaches

In September 2016, technology giant Yahoo shocked the world when it revealed that around 500 million user accounts have been breached. What was more embarrassing for Yahoo and shocking for the users was when Yahoo later announced that the breach had actually occurred in the year 2014 but surfaced out only in 2016.

But this was not the end of embarrassment for Yahoo. In December 2016, Yahoo further disclosed that a separate security breach incident had occurred way back in August 2013 wherein over one billion user accounts had been compromised.

The two data breaches had led to theft of consumer data including name, email address, phone number, date of birth, security questions with answers, and passwords. This sensitive data is supposedly still circulating on the dark web.

These twin data breaches of Yahoo are considered to be largest in the history of Internet. Yahoo initially had blamed state-sponsored agencies for the breach but later withdrew its statement, currently the inquiry into the breach is still on-going.

LinkedIn Hack

While LinkedIn was actually hacked in 2012 but the actual revelations came into limelight only in 2016.

LinkedIn was hacked way back in 2012 when its data was breached by Russian hackers and it was believed about 6.5 million user accounts were compromised, which resulted in login details (email and password) of these user accounts being stolen. The hackers were easily able to crack the passwords, the reason being, although the passwords were encrypted, but were not salted when stored in the LinkedIn database.

In 2016 the LinkedIn hack again surfaced out when it was revealed that the actual number of user accounts compromised due to 2012 breach was much higher, more than 117 million users were actually hacked. The details of the compromised user accounts, emails and passwords, were apparently sold on the dark web. It is believed that this sensitive information is still being circulated on the dark web.

DDoS attack on automated systems in Finland

In October 2016 hackers carried out a Distributed Denial of Service (DDoS) attack on automation system of two buildings in Finland resulting in disruption of the heating systems. The building automated systems remained affected for over a week causing severe inconvenience to the residents during the cold winter season.

The DDoS attack had put the building automation system in an endless cycle of reboot, making devices restart every few minutes, causing disruption of the services. The attack had also stopped remote-access to the automation system hampering the efforts to diagnose and fix the issue remotely.
This attack raised a big question on the security of Internet of Things (IoT) connected devices, and also emphasizes the need to have stronger cyber security for Internet of Things.

Ransomware Attacks

The year 2016 saw a series of ransomware attacks. Ransomware is a malware that encrypts your files, holds them hostage and then demands money to decrypt the files, payments made to anonymous bitcoin accounts.

Ransomware attacks were rampant in 2016 and has proved to be successful money-making model for cyber criminals. Ransomware cyber criminals made over $1 billion in 2016.

Tumblr Hack

Tumblr, a popular social blogging website, announced in May 2016 that it had suffered a security breach in 2013 which led to 65 million user accounts being compromised. Sensitive data like emails and passwords of tumblr users were leaked and circulated on the dark web as per reports.

Encryption Algorithms

In our previous blog post ‘Encryption‘ wherein we explained encryption and different encryption methods. This blog post is subsequent to that and here we will explain different types of encryption algorithms that are most commonly used in cyber-security world.

Types of Encryption Algorithms

Triple DEC/DEC
RSA
AES
Blowfish
Twofish
MD5
SHA
HMAC

Triple DES or DES/3DES

Data Encryption Standard encryption algorithm was first used and endorsed by US Government in 1977. DES encryption algorithm forms the basis for ATM PIN authentication and also utilized in UNIX encryption password. DES is a block cipher with 64-bit block size and uses 56-bit keys.

Triple DES or 3DES was designed as a more secure and stronger encryption algorithm to replace the original version of DES algorithm. Triple DES encrypts the data three times with three different individual keys of 56-bits each, which makes the total cumulative key length up to 112-168 bits long.

RSA

RSA is a public-key encryption algorithm and a standard for encrypting sensitive data sent over an insecure network like the Internet.

RSA encryption algorithm was first introduced by Rivest, Shamir and Adleman at Massachusetts Institute of Technology in the year 1977. It is with reference to these three individuals that this method of encryption was named as RSA (Rivest-Shamir-Adleman).

RSA, a public-key cryptography, is an asymmetric encryption which uses two different but mathematically linked keys for encryption and decryption. In RSA encryption algorithm, a public-key is used for encryption and a private-key for decryption. The public-key could be shared with others but the private-key must always be kept secret.

RSA is one of the most popular and widely used encryption algorithm for encryption and digital signatures in the cyber-security world today.

AES

AES or Advanced Encryption Standard is an encryption algorithm that was announced and approved by the United States National Institute of Standards and Technology (NIST) in November 2001. AES replaced DES encryption algorithm and became a standard encryption technique for the US government in 2002.

AES encryption algorithm was developed by two cryptographers from Belgium, Joan Daemen and Vincent Rijmen, who submitted it to NIST where it was approved. AES, originally named Rijndael, is a family of ciphers with different key and block sizes.

AES encryption algorithm comprises of three block ciphers of 128-bits, 192-bits and 256-bits. Although encryption with AES 128-bits is quite strong and efficient, 192-bits and 256-bits key is used for higher grade of encryption.

AES is a symmetric encryption algorithm and uses a single private-key for both encryption and decryption processes. AES encryption algorithm is used by numerous organizations worldwide apart from being trusted by the US government.

Blowfish

Blowfish is a symmetric block cipher that was developed and introduced by Bruce Schneier in 1993 as an alternative to the encryption algorithms existing at that point in time.

Blowfish has a 64-bit block size and a variable key length from 32-bits up to 448-bits. Blowfish encryption algorithm splits a message into the blocks of 64-bits and then encrypts the blocks individually.

Blowfish is unpatented and a free to use encryption algorithm, easily available in the public domain.

Twofish

Twofish is a block cipher encryption algorithm based on Blowfish encryption algorithm. Twofish was one of the five finalists at NIST to replace DES encryption algorithm where NIST eventually selected and standardized the Rijndael algorithm, commonly known as Advanced Encryption Standard (AES) algorithm.

Twofish is a symmetric key block cipher with a block size of 128-bits and key size ranging from 128-bits to 256-bits. Twofish algorithm being a symmetric encryption technique uses a single key for encryption and decryption.

Twofish encryption algorithm was designed by a team of cyber-security experts led by Bruce Schneier at Counterpane Labs in the year 1998. Like Blowfish, Twofish is also unpatented, license-free, free-to-use and available in public domain.

MD5

MD5 Algorithm was developed by Professor Ronald L. Rivest of MIT in 1991, and is widely used to verify data integrity. MD5 is a one-way hash function which creates a 128-bit hash value, and is most commonly used in digital signature applications.

MD5 algorithm has been optimized for 32-bit machines and was designed to replace MD4, an earlier hash function also designed by Rivest.

MD5 algorithm verifies data integrity by processing a variable-length message into a fixed-length output hash of 128-bits. MD5 algorithm is sometimes also referred to as Message-Digest algorithm.

SHA

SHA or Secure Hash Algorithm is a family of cryptographic functions which includes SHA-0, SHA-1, SHA-2 and SHA-3.
SHA algorithms are component of SSL certificates to verify data integrity, that is to ensure that the data has not been modified.

SHA-1 cryptographic hash function that was designed by the United States’ NSA in 1995. However, SHA-1 is no longer considered to secure enough and post 2010 many cyber-security experts have recommended the use of SHA-2 or SHA-3 as a replacement to SHA-1. Most of the popular browsers would stop the support for SHA-1 based SSL certificates.

SHA-2 is also designed by NSA and was first published in 2001. SHA-2 is a set of cryptographic hash functions which includes six hash functions of different digest sizes: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

SHA-3, formerly named Keccak, was designed by cryptographers Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche and was approved by National Institutes of Standards and Technology (NIST) as a part of a competition which received 64 submissions from all over the world. Subsequently, SHA-3 standard was released by NIST in August 2015.

HMAC

HMAC or Hash-based Message Authentication Code (HMAC), first published in 1996, is a type of message authentication code that involves both a secret cryptographic key and hash function. HMAC simultaneously verifies the data integrity and authenticates the message.

In HMAC, the message and the key are hashed in separate steps which adds to the security of HMAC. The cryptographic strength of HMAC is dependent on the strength and size of the hash function and size of the key.

IPSec and TLS protocols use HMAC-SHA1 and HMAC-MD5 encryption algorithms.

Encryption

In the contemporary world where the news about data leaks and security breaches have become quite frequent, cyber-security and more specifically encryption is an important concept for many companies to understand and implement.
Security breaches and data leaks cost millions of dollars to organizations. IT Security has become the highest priority for many global companies and government departments.

There are many security protocols and technologies available which help organizations to secure their infrastructure, data and communications. However, encryption is one of the most important part of IT security strategies that are implemented by companies and government departments.

Encryption is a technique which helps protect the data and communications.

What is encryption?

Encryption is a technique of encoding the information in such a manner that it becomes unreadable and only authorized parties are able to access it. The authorized party can access the information using a key which decodes the information.

The encrypting process basically transforms the information or a message from plain text to cipher text by encrypting it using an encryption algorithm. The cipher text can only be read when it is decrypted using a key, which only the authorized party will have. Encryption ensures that data is not read or altered by unauthorized parties.

Here is an example of how encryption works.

When you send an email using an encrypted email service, the plain text message is scrambled and made unreadable for unauthorized parties.

This is how an encrypted email message looks like:

"hQIMA9k15z0KX/NsARAApV8pSKc9kSbARMzjCLM6b9YsMz3I3QFZUKqWpCwO6ut2lmsddHnsVSjHZe0MS0FnNI2SJDuW+7Kt2MR2DXcYpB/6esYBm6dbL73/GM8wW9qa450okjxNf4VeErVgt2VSJ/qyLlVuc5BnLz9IodTu3rNtGGcqTWOKQiB2vXGqfdw+/5bSKtESZxVi/YRGVNeIk+fa/2Yh7lnv5xUaaakdGTdj3LSHw77+CoTcG+L5RaHrgMZ6OItioR9UN51xgfYELg8q21llCK9MotpjgRSHJaZphBvl3liKTj7uQbYGNGpwwIHJ4
zb+yrP4WRONA0AqVgOk5LNevpCxO7Ag4BVgE9WJ1MOsAGD9jTKfHZZPKlh7O949JthZ5T5Nd9+oZAnJmBSyt+R9SA943a6fa1EUFWJ2yPzNDblhu
9lgcTQ2BqRRvKx02SyHwAR22TvUI8+w9c/8VUajcZ/eudz44FcLdK35mmLhyQDw87301Lo4aFb52opTFp+dYio5UYK6wR9MUu8OzrGeiAV98d30Tk
9WTntWcm486B2kN7/dhHxEYsMI2ZWzq4KXNog3/29AarcgbqQIjKY3RHxYsP1/6wnyqdI6JeLGunTEbeVA5tq10ZIHHZehayxnfLJMEd0TjQh5gyXF1x0YjoT7wGCLscS02yG/5PSyA6pK0GRbEyaNOAaceRvBbcsrmWybWe1ySR+gRIuAK3KygCUONZ4MXR0hopKJpz4pliTnd/u6Wfya83pzC1Cn3P6cO4yH6sRjXWB3KztYkKOyDwVFYNk7nfZFcAW+1ZfA3WWm5MRrgxQT2JJ9Gj1U7ue0tCqEYdpq1yTgtpbSZiO5Orx3fA29/N4kpIk6YrDIPKzafE8qzaP0xO+IeTw8g0RqfyKxZTZ1pY5SPdx0lSbmGVz3irQ7VabonRVoVZhyURPrXw2TVUA7Ft
hKt0bmAotdR2D0vVW7sLeDFattpr2Qs1dr99/+1btilLQGyl7s3cgtw+eLKmutLpAbU6u2iXxxSCSGS1JMR1+1nILNf26XXkES+KhsdsIoEDiTQ+
S6r0BL/IfUHUgt1KgBUHwMGycLsP+69FyFJPuTW21ttSJMBJx5S3aB8R2VmRWCi4+Mrctllg+H4C6ml4Pn64sjNNdSJer3gpSynceFuySM
mul46CDBwAKxt9haksZ5bBqLcIhAkJ+96PtLTvqEHP6jLFyVisuHUTZoh3buheK5SuuJoQIq6SlAJYp8eo2SpZAk0W9gAvmFV+0nlI7//G0lF4/tns2om3Hs8uQQ0F+vE8SvgrrxxEeXSPjqZpmfw+VHQg9iwBJzHJfVObQQwUuKhFqVbsUpEU48h4qhKjMlvJd+H2gFfw3VywQwK45X
nLInUpyANK+uVlxwfCoUz0u+3RADVAxkCKWoWmw6f4eY5IaBRnMb1uzzRXv6RRaShZyZ7BI3ZbcBXsG7MFrMNRdSF5zN3r=JSOY"

Only the intended authorized recipient can decrypt the above encrypted text. The authorized party receives a private key from the sender of the email, using this private the authorized recipient can decrypt the email.

Decrypted email text:

"Hello John, How are you doing?
Join me for a cup of coffee next week in San Francisco.
Best,
Alex."

Different Encryption Methods

Symmetric Encryption:

Symmetric Encryption, also known as private-key cryptography, uses a single key for encryption and decryption. The sender encrypts the data with a private-key, sends the encrypted data to the authorized recipient, the recipient uses the same private-key to decrypt the data.
Symmetric Encryption is also known as private-key or secret-key cryptography because it uses a secure private-key for both encrypting and decrypting processes.

Asymmetric Encryption:

Asymmetric Encryption, also known as public-key cryptography, uses two different keys for encryption and decryption and hence differs from symmetric method. In asymmetric method, a public-key is used for encrypting process whereas a private-key is used for decrypting process.

Hashing:

Hashing is a type of cryptographic security which generates a unique fixed-length value or a hash for a message or data. Hashing is irreversible, once a message is condensed into an irreversible fixed-length value, it cannot be reversed. This is where hashing differs from encryption which is a two step process where a message is first encrypted and then decrypted, which is not the case with hashing. Hashing is a single step irreversible process.

Hashing is used to verify the data and check if the data has been tampered with, and cannot retrieve the original message.

– Captain Krypto 🙂

Kryptotel is an IT Security Services and Product Development Company specializing in Cyber Security and Secure Communications. Kryptotel develops secure communication applications with strong encryption and security features. Feel free to consult Kryptotel for your cyber-security challenges. www.kryptotel.net.

Mobile Applications & Security Vulnerabilities

Mobile Applications and Security Vulnerabilities

Mobile Applications & Security Vulnerabilities

There are over 2 billion smartphone users in the world today. The enormous rise in the use of smartphones globally has also led to a surge in the usage of mobile applications. There are over 2.2 million Android based applications in Google PlayStore and over 2 million iOS applications in Apple’s AppStore.
Applications, in general, are becoming a dominant form of digital interaction and hence applications are not just limited to smartphones. Applications are developed and used for wearable devices, for devices connected in Internet Of Things, Smart Cities and Smart homes, etc. These devices communicate with each other via applications which makes security in applications all the more important. Security is critical in applications and therefore applications need to be without any security vulnerabilities, but that is not the case. Application do have security vulnerabilities.

Some of the common security vulnerabilities in mobile applications are explained below.

Weak Server-side Components:

Mobile applications communicate to the servers using APIs. The communication requests from APIs need to be properly verified and authenticated before allowing an access to back-end services. Absence of proper security verification and authentication would lead to security vulnerabilities.

Weak server-side security vulnerabilities include Cross-site scripting and forgery, weak authentication system, injection attacks, etc.

Data Leakage and bad storage practices:

Mobile applications collect a lot of data. Some of the data collected by applications is required for them to function, but there is also unnecessary data collected which is a cause of concern. It is critical that the collection of data by apps doesn’t compromise a user’s privacy. An unsecured app could leak the user’s private data. There have been various researches and studies which show how mobile apps have been collecting user’s personal information and then leaking the same data to agencies or third-parties.

Here are some common ways mobile applications expose user data:

Using a misconfigured or insecure ad and/or analytics framework. A framework which is not properly configured or doesn’t proper security measures could be a potential security vulnerability to collect and expose user’s personal and sensitive information.

Unencrypted data transmission from between the app and the back-end server.

Unnecessary logging by the applications becomes a vulnerable point to expose data to unauthorized third-parties.
Android applications have an option of storing the data on external storage which is a point of vulnerability because the applications cannot trust that files have not been modified.

When users sync their data to a cloud platform which is not secure increases vulnerabilities of exposing the data to unauthorized access.

Weak Encryption & Security Protocols:

Mobile applications become prone to external attacks in absence of strong encryption algorithms and security protocols. Attackers use information stored in the cookies and environment variables to bypass the security and access the data on the mobile device. Mobile applications needs to built with latest and strong encryption algorithms which meet the modern security requirements.

Below are some facts as per HPE 2016 Cyber Security Report:

52.1% of applications accessed geolocation data
70% of education applications on iOS accessed geolocation data
11.5% of applications accessed contacts
40.9% of social networking applications accessed contacts
19.8% of finance applications accessed contacts
16.3% of applications accessed calendar data
41.9% of iOS game applications accessed calendar data
52% of iOS weather applications accessed calendar data
61.7% of applications used ad or analytics frameworks to expose data
64.8% of health applications used ad or analytics libraries to expose data
53.2% of medical applications used ad or analytics libraries to expose data
43.8% of finance applications used ad or analytics libraries to expose data
94.8% of applications include logging methods
70.6% of applications can access external storage

(Link to the detailed report: https://saas.hpe.com/sites/default/files/resources/files/Mobile%20Report%20ver%2010.2.pdf)

-Captain Krypto 🙂

Wearable Technology & Security Concerns

The use of wearable technology has been on a rise in last few years, and so are the security concerns that come along.

What is Wearable Technology?

The terms ‘wearable technology‘, ‘wearable devices‘, ‘wearable gadgets‘, or simply ‘wearables‘ are referred to the class of electronic technology devices that can be worn on the body. Wearables are created by integrating technology or computers into clothing and accessories which can be easily worn around the body.

[blockquote author=”” link=”” target=”_blank”]Wearable technology is most often advocated as one of the greatest application of Internet Of Things considering the fact that wearables have the potential to completely transform the way we live, today and in future.[/blockquote]

Although these wearable gadgets can perform same computing tasks as mobile devices and laptop computers, but wearables are primarily designed to track health and fitness related information. The sophisticated modern wearable tracking devices are made up of smart sensors and scanning features which help track physiological functions of the body. Therefore, helping consumers achieve their health and fitness goals.

Examples of Wearable Gadgets?

Below are some of the wearable gadgets available in the market that are most commonly used.

Fitness Trackers: Fitness Trackers help in monitoring exercises and physical activities by tracking biofeedback from the body. They are based on sensors and are worn around the wrist, connected wirelessly to the smartphone via bluetooth displaying health and fitness related information on the smartphone application.
Smart-watches: The modern smart-watches are not designed just to display the time, but is door to your digital world. Smart-watches are worn around the wrist and connected to your smartphone, and generally displays notifications from phone calls, messages, emails and social media.

Some other types of wearables are sports watches, smart jewellery, implantables, etc.

What are the security concerns of Wearable Technology?

No doubt that the use of wearable technology is on a rise, and there has been an increase in the popularity of wearable devices. But along with the popularity growth of wearables there has been in an increase in the concern over security with such devices.

While wearables such as fitness trackers, smart-watches, sports watches, smart clothing provide great benefits to the consumers, at the same time consumers need to be cautious about the possible security concerns of wearable devices. Most of these wearable gadgets are Bluetooth enabled and connect to the Internet, they are vulnerable in absence of proper security measures like encryption and authentication.

Wearable devices such as fitness trackers monitor and track activities and health related information of consumers all around the clock, therefore huge amount of private and sensitive data is collected and stored by these devices.

[blockquote author=”” link=”” target=”_blank”]This makes wearables an attractive target for hackers to get unauthorized access to this private information and monetize it.[/blockquote]

In absence of strong security measures, hackers could manage to get access to these health records and make money by selling these records.

Some of the known security vulnerabilities in wearables are: SQL Injection, Phishing, Buffer Overflow Attacks, etc.
Consumers also need to be cautious about allowing manufacturers of such wearable devices permission to share their information with third-parties. Reputed and well-known brands usually implement appropriate security and privacy measures. Consumers should avoid low-cost and poorly designed wearable devices that may possibly create security threats.

-Captain Krypto 🙂

Kryptotel is an IT Security Services and Product Development Company specializing in Cyber Security and Secure Communications. Kryptotel develops secure communication applications with strong encryption and security features. Feel free to consult Kryptotel for your cyber-security challenges. www.kryptotel.net.