Why Non-Cheaters Should Be Just As Worried As Ashley Madison Members


Millions of accounts stolen from the adultery facilitation service Ashley Madison hit the dark web this week, causing angst for spouses, anxiety for the site’s users and social reflection from a variety of media sources. The information includes names, passwords, email addresses, credit card information for paid accounts, physical descriptions and profile information about users’ kinks and sexual fantasies.

Tools to search the massive database have already appeared, though it’s not clear how accurate those tools are and whether they are harvesting information themselves. Let’s look at some of the security implications of the leak.

Public Security Concerns

Many of the site’s users signed up with their work emails, probably in an attempt to keep their spouse or significant other from reading their messages. Approximately 15,000 of the leaked accounts are linked to email addresses with .edu, .mil or .gov accounts. This means the names and personal information of thousands of government employees are now online, making them a target for blackmail and identity theft.

Almost 2/3rds of the emails are from military addresses. The United States military has regulations against cheating on spouses, and the leak could lead to dishonorable discharges should the military decide to follow up. Several state and local government agencies have stated they will be looking into accounts that used email addresses linked to their employees.

Is the Data Legitimate?

Ashley Madison did not require email verification, and it’s not exactly difficult to sign up for a free account with someone else’s information. Confirming the information is difficult, since neither Ashley Madison nor their cheating users are likely to comment. On the other hand, people who were wrongfully signed up by others have no way to prove their innocence either.

Some of the leaked accounts contain data specific enough to trace back to individuals such as credit card information and is undoubtedly legitimate, but others are obviously faked. For example, someone signed up for an account using the name and email address of one of the fictional FBI detectives from the TV show The X-Files.

What Can We Learn?

Consider anything you enter online permanent. Some of the users in the leaked database paid a fee to Ashley Madison for a service that was supposed to delete their account and information entirely. Obviously it didn’t work.

Don’t advertise your computer system or service as totally private and unhackable. One of the reasons Ashley Madison was targeted was their advertisements touting the safety of users’ information. In any connected system there are ways for determined hackers to get in.

Don’t use your work email address for personal communication. Even if you’re not cheating on your spouse, it’s not a good idea. Most employers back up their email messages and accounts for security purposes.

About the author:

Scott N. Schober is a CEO, author and cyber security and wireless tech expert who regularly appears on popular TV news networks, radio programs and tech industry speaking engagements. He appears regularly on Bloomberg TV, CCTV-America, CTV News, ABC and more as a cyber security expert. His new book entitled Hacked Again will be available in the fall. Scott is also the host of a weekly cyber security video podcast called 2 Minute CyberSecurity Briefing on iTunes and Youtube.

Black Hat Conference Highlights


Last week cyber security experts gathered at the Mandalay Bay hotel in Las Vegas for the 9th annual Black Hat conference. While the major media focus was on the connected car vulnerabilities I discussed in a previous post,  there were many other important subjects covered. Let’s look at some of the highlights.

Android Fingerprint Sensor Hack

Some smartphones include fingerprint sensors that allow users to swipe their finger instead of entering passwords. FireEye researchers Tao Wei and Yulong Zhang presented evidence that fingerprint readers on many Android devices are vulnerable to attack. The sensors are not locked down, and the files controlling them are easy to hack even on unrooted devices. A clever hacker could install malware on a device and use it to steal the fingerprint of anyone who uses the sensor. Unlike passwords, fingerprints cannot be changed. Once a fingerprint is compromised, it’s compromised for life. Fingerprints are tied to someone’s identity on documents such as passports and police records. Manufacturers of the affected devices have issued patches to resolve the security flaws, but as more devices with fingerprint readers become available we’re sure to see more users affected in the future. More Info Here

Google Talks Android Security

In the wake of the Stagefright security flaw that exposes approximately 950 million Android devices, Android security chief Adrian Ludwig spoke about Google’s plans for fixing the bug. The company will update all its Nexus devices (including those that are WiFi only) and provide security support for all Nexus devices for a minimum of three years. With public confidence shaken, Ludwig also spoke about Android’s existing security features and security analysis for apps offered through the Google Play Store. More Info Here

Defending Against Watering-Hole Attacks

Senior development engineer Aaron Hackworth at Dell SecureWorks detailed the methods and activities of a cyber espionage group based in China. Dubbed TG-3390, this group’s major strategy is to target organizations through web sites and services employees are known to use. The hackers attack the service and redirect traffic to a malicious web site. When someone visits from an IP of interest, the site installs malware on their machine. Once the hackers have access, they attack the domain controller and install keyloggers and back doors on any Microsoft Exchange servers. This allows the group to steal credentials so they can re-enter the network if discovered. Hackworth recommended removing all local administrator rights and switching to two-factor authentication (2FA) on all remote-access services thwarts the hackers’ ability to steal login information and regain access. More Info Here

Stealing Data with IoT Devices

According to Columbia University researcher Ang Cui, printers, Internet of Things (IoT) devices and other inexpensive network-capable devices can be hacked into radio transmitters. This hack uses I/O pins and a connected cable to generate radio waves that a receiver can pick up. Cui demonstrated the hack on an inexpensive printer, using the printer cable as an antenna and picking up the signal on a handheld radio. The most troubling part of this hack is because it works on devices that do not even have WiFi, hackers can target devices on the network that IT personnel may not even consider a vulnerability point. More Info Here

OPM Pwnie Award for Most Epic Fail

In a year of massive data breaches, the government’s Office of Personnel Management managed to take home the least-coveted award at the conference. In June the OPM announced that background check records on 25.7 million current, former and prospective government employees and contractors had been stolen by hackers with close ties to the Chinese government. The hackers managed to stay in the system for over a year, and unnamed sources told ABC news the records of top administration officials and current and former cabinet members were compromised. Not surprisingly, the award went unclaimed. More Info Here

About the author:

Scott N. Schober is a CEO, author and cyber security and wireless tech expert who regularly appears on popular TV news networks, radio programs and tech industry speaking engagements. He appears regularly on Bloomberg TV, CCTV-America, CTV News, ABC and more as a cyber security expert. His new book entitled Hacked Again will be available in the fall. Scott is also the host of a weekly cyber security video podcast called 2 Minute CyberSecurity Briefing on iTunes and Youtube.

Stagefright Bug Takes Center Stage On 950 Million Android Devices

Android Stage Fright

A series of bugs and security loopholes in the Android operating system could allow hackers to take control of up to 95% of Android smartphones simply by sending an MMS message with malware attached.

What is the Stagefright bug?

Stagefright is the name of the Android operating system’s media library, which the bug is named after. It affects all Android devices running version 2.2 and up and there is currently no patch. The recipient doesn’t even have to open the message. By default the Android operating system downloads unread messages, triggering the malware. An attacker could send the MMS with malware attached, take control of the phone and delete it before the user is any wiser.

When will the bug be resolved?

The mobile security company Zimperium Labs discovered the flaw and alerted Google in April. Google is working on a patch for its Nexus devices, but it won’t be available until next week. For other device manufacturers, it could take a lot longer.

Very few manufacturers run vanilla Android on their devices. Most devices have customized software that will require testing. Google will provide the software fix to the manufacturer, which then must test the update on their devices. The manufacturer will apply the update to the base version of their OS, then test each individual product line. After the manufacturer is finished, they send the update to the wireless carrier. Sometimes carriers do their own testing before pushing the update out to users. It could be weeks or months before non-Nexus devices see an update. The cost of testing means some older devices may never get it.

What can you do to protect your device now?

The key to protecting your smartphone is preventing the device from automatically downloading MMS messages from the server. Open your default messaging app and press the Menu button. Select Settings and look for an “Auto-retrieve” checkbox. Some devices may have the option under “Advanced settings.” Unchecking this box will stop the device from downloading the messages, allowing you to delete messages from any numbers you don’t recognize before you open them. If you can’t find the setting, contact your wireless carrier or device manufacturer for assistance.

Is Stagefright the only vulnerable part of the Android OS?

There are no confirmed cases of hackers using it, but the sheer number of vulnerable devices makes this a major security flaw. Zimperium Labs indicated in a blog post that others had previously uncovered bugs in Stagefright, and that it is possible the bug could be in use.


About the author:

Scott N. Schober is a CEO, author and cyber security and wireless tech expert who regularly appears on popular TV news networks, radio programs and tech industry speaking engagements. He appears regularly on Bloomberg TV, CCTV-America, CTV News, ABC and more as a cyber security expert. His new book entitled Hacked Again will be available in the fall. Scott is also the host of a weekly cyber security video podcast called 2 Minute CyberSecurity Briefing on iTunes and Youtube.

Chrysler Recalls 1.4 Million Hackable Cars But Is It Enough?


Car companies have a history of large scale recalls for their products. After all, the safety of their customers fall directly on the shoulders of automakers so why take a chance? But what about computer glitches or even hacks? When is proactive too proactive and when is it not even enough?

Some of today’s cars come equipped with the option to connect to the Internet, but are they safe from hackers? Connected cars can access wireless broadband networks via built-in cellular modems. They allow passengers to stream audio and video, access traffic information and navigate using a touchscreen on the dash. Cyber security experts worry that these connected cars lack adequate digital security and are vulnerable to malicious hackers.

Last week two white hat hackers demonstrated the ability to take control of critical functions on a 2014 Jeep Cherokee to a Wired Magazine reporter. Hackers Charlie Miller and Chris Valasek were able to disable the transmission, spray the windshield with wiper fluid and even engage and disable the brakes. The pair will be presenting details on how they accomplished the hack at next month’s Black Hat cyber security conference in Las Vegas.

The pair said the hack seems to work on any Chrysler vehicle equipped with the Uconnect entertainment system. The Unconnect uses Sprint’s network, and an attacker can scan the carrier’s network for vulnerable targets using a Sprint phone as a WiFi hotspot. Once an attacker has the vehicle’s network information, they can wirelessly overwrite the firmware in the device and take control of the vehicle’s functions from virtually anywhere. Even more alarming, a skilled hacker could program the compromised Unconnect to scan, locate and attack other vehicles through Sprint’s network like a computer worm.

Several years ago Miller and Valasek demonstrated hacking different vehicles through the diagnostic port used by mechanics. Some in the automotive industry scoffed at the potential threat because the hacker would need physical access to the vehicle and the port. Now the prospect of remote hacking has the industry spooked.

Miller and Valasek have been working with Chrysler since they discovered the vulnerability, and the automaker has issued a patch that closes the security loophole. However, the pair plan to release parts of their code at the Black Hat conference for peer review. The released code will allow potential digital carjackers to access some of the less dangerous attacks.

Chrysler has issued a recall notice for over 1.4 million vehicles urging owners to install the software update. The patch requires the vehicle’s owner to take it to the dealer or download it onto a USB thumb drive, so many vehicles will probably remain vulnerable at the time of the conference. If you own one of these vehicles and aren’t sure if it needs the patch, you can check by entering your vehicle’s VIN number into this website here.

There is no doubt that connected cars are traveling on a highway where old tech thinking and new tech thinking must eventually merge. On the one hand, obscure security holes detected in your PC’s OS usually results in an immediate and unconsented updates to your computer. This is for your own good. Malware and viruses are hardly life threatening on any PC but the same cannot be said about a connected car. The dangers have been clearly demonstrated by many car hackers past and present even if they are not an immediate threat to your ’98 Corolla.

So why hasn’t the auto industry defined and implemented procedures to auto update or at the very least, allow consumers to easily update their connected vehicles easily and securely?

On the other hand, Chrysler recalls 1.4 million vehicles based on the possible threat of a hack to those cars. No one has been injured and the hacking threat is still largely unproven but Chrysler is being very proactive here. Let’s just hope that connected car industry doesn’t shut down the entire auto industry before we can experience all the safety and conveniences that connected vehicles offer.

About The Author

Scott N. Schober is a cyber security and wireless technology expert, CEO of Berkeley Varitronics Systems, Inc. and author of Hacked Again. He has appeared on hundreds of television, radio and published news pieces as a cyber security expert and a presenter and panelist at many tech conferences.

Is Drone Skyjacking The New Hijacking?

Screen Shot 2015-06-23 at 6.23.41 PM

Right now most civilian drones are owned by hobbyists for recreational use, but many companies are exploring commercial uses. Drones have already been used for shooting nature documentaries and commercials, aerial surveys on remote properties, checking on crops for farmers and even delivering pizza. They have the potential to revolutionize many aspects of our daily lives. But drones haven’t escaped the notice of cyber criminals.

Why Are Hackers Targeting Drones?

Drones can carry small payloads, which often includes a camera for transmitting wireless video back to the operator. Cyber criminals might tap into the video signal and gain access to valuable surveillance information, or simply hijack the drone to steal it and its cargo or perform other illegal activities.

It seems certain that at some point drones will be required to carry identification information. When that happens, a cyber criminal might hijack a drone to avoid identification much like a street criminal would steal a car to perform a robbery.

Even with legal drones one of the biggest security concerns is their current lack of traceability. Here in the United States, a civilian drone entered the restricted area around the White House during the early morning hours of January 27th and crashed on the lawn. Officials had no way of identifying who it belonged to or what their intentions were. The crash turned out to be an accident and the operator turned himself in the next morning, but it was a wake-up call for security experts. Other operators aren’t so benign. In the United Kingdom police have already confirmed high-tech burglars are using drones to identify houses vulnerable to break-ins.

Why Are Drones Vulnerable to Hacking Attempts?

Unlike simple remote-controlled helicopters, drones have their own computing power. Think of them as flying smartphones without the screen. They have GPS capabilities and can fly along pre-programmed paths, or the operator can manually control them from afar using WiFi signals. If a drone loses control signals from the operator it can return to a designated location on its own.

On the same day the drone crashed on the White House lawn, a cyber security expert uncovered a flaw in Parrot® drones that allowed malware to kill their engines and make them fall from the sky. If the drone is high enough, the malware can restart the engines and take control of the drone.

This isn’t the first time Parrot drones have been used in a drone hack. Two years ago, a legal hacker released instructions on how to build a Parrot drone capable of tracking down other drones and hijacking them using wireless signals. Dubbed SkyJack, the hijacker drone monitors wireless signals and targets MAC addresses registered to Parrot drones. It can force the targeted drone to disconnect from the device controlling it and connect to the hijacker’s signal.

The problem is lack of stringent security measures built into drone operating systems. Many drone models have no security or rely entirely on weak WiFi security measures. As drones become more popular and widely used, drone manufacturers must take the threat of potential drone skyjackers more seriously.

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

How Do You Set Up A “No Phone Zone”?

image description

Cell phones are a modern marvel, but they can also be a tremendous problem for any organization trying to enforce security or safeguard confidential information. The effects of contraband cell phones can be tremendous. Cell phones have been used to intimidate witnesses in criminal courtrooms, break prisoners out of jail and steal classified information.

The private sector isn’t immune to the risks of smuggled cell phones. Attendees use them to record concerts. Students use them to cheat on tests. They’re also unwelcome guests in call centers, secure facilities and confidential meetings. The infamous “47 percent” quote that may have cost Republican candidate Mitt Romney the 2012 Presidential election was secretly recorded on a cell phone at a private fundraiser where phones were prohibited.

Ineffective Detection Tools

The major challenge in keeping cell phones out is they are easily concealed inside clothing and handbags. The recent mobile trend is toward larger smartphones, but feature phones are still readily available and some models are smaller than a credit card. These old-school devices are primitive compared to modern smartphones, but they are capable of sending and receiving texts, recording audio and taking pictures and video.

Conventional metal detectors can find many phones, but walkthrough units are bulky and not portable. Handheld wands are portable, but their range is limited to a few inches so an operator must sweep the detector over the subject’s entire body. Both types will alert to other metal objects.

Most cell phone detectors rely on radio frequency signals to locate devices, but they are ineffective if the phone is powered off or has the wireless antenna disabled. Fortunately, there are tools available to specifically uncover hidden cellular devices, even if they’re not transmitting

Effective Detection Tools

The BVS SentryHound is a portable cell phone detection system that scans subjects as they walk between two posts. It’s very similar to the anti-theft scanners retailers use to prevent shoplifting, but instead of security tags it detects ferromagnetic compounds inside the phone. The posts have a single row of LED lights running their entire length. When the SentryHound finds a device, it sounds an audible alert and illuminates the section of lights closest to the phone. It can also trigger an external device such as a security camera or remote alarm.

The Manta Ray is a handheld cell phone detector that also detects ferromagnetic compounds. Operators can use it to scan handbags, luggage and small parcels without opening them. Buckles and studs will not trigger false alarms.

The SentryHound and Manta Ray are ideal for temporary and permanent “no phone zones.” They allow operators to scan subjects and their possessions quickly and effectively, without labor-intensive searches or compromising the subject’s privacy and dignity.


About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

Global Governments Attempt to Peel The Onion Router

The Dark Web 07g

Tor has been embraced by lawful and unlawful users alike. It helps those who value their online privacy and dissidents who live in countries with oppressive governments, but it also provides ways for cyber criminals, terrorists and other bad guys to avoid identification. This has made breaking Tor’s anonymity a top priority for government agencies both at home and abroad.

What is Tor?

Short for The Onion Router, Tor is a network of donated servers run by volunteers around the globe. Tor works by routing traffic through a random network of computers called relays. For example, say you are located here in Maryland and want to access a web page on a server in Australia. Under normal circumstances, you type in the URL and the packets take a more-or-less direct route from your computer to the Australian server and back.

With Tor, the packets may bounce from relay to relay anywhere in the world, and at each at each step the traffic is encrypted. Each relay only knows where the packet came from and where it is going next. No single computer in the chain knows the entire route. This is what makes Tor users so difficult to identify.

In the United States:

The United States government seems to be of two minds about Tor. On one hand, Tor is a brainchild of the U.S. military. It was created to protect whistleblowers and journalists operating in restricted areas from repartitions, and in 2012, over half of the Tor Project’s revenue came from government grants.

On the other hand, the National Security Agency (NSA) has been working to unmask Tor’s users. The classified documents released by Edward Snowden in 2013 revealed the NSA has had success in separating Tor traffic from regular Internet traffic. This is due to their ability to monitor huge chunks of Internet traffic through connections to the large telecommunications companies that provide Internet access to most of the country’s population.

They have been less successful in separating one Tor user from another. Their best success has come from not from the Tor package, but from the browser it comes from. The default Tor package uses the Firefox browser, which has some vulnerabilities. Most of these vulnerabilities come from plugins like Javascript and Adobe Flash.

Most governments cannot use the NSA’s technique for separating Tor traffic from normal traffic because they lack the close ties to telecom companies or the ability to monitor large swaths of Internet activity in real time.

In Russia:

Last year the Russian Ministry of the Interior ran a contest for Russian nationals and companies with a goal of finding a workable method of de-anonymizing Tor’s users. The grand prize? A contract worth a cool 4 million rubles, equivalent to $111,000 USD. News reports indicate the contract was awarded, but the Russian government did not name the winner.

In China:

While the Chinese government has been silent on what efforts they are taking to unmask Tor users, it is known they have taken the approach of blocking access to the Tor software and public relays. The “Great Firewall of China” is capable of deep packet inspection and can identify and block non-public relays based on specific protocols unique to Tor. It is possible for Tor users in China to get around these blocks using different techniques.

What’s in Tor’s Future?

The Tor Project has a core of a small number of employees, but uses a network of volunteers and crowdsourced labor to patch vulnerabilities and keep its users anonymous. When the annual Black Hat security conference announced a panel on how to de-anonymize Tor users, the team went to work on closing the loophole before the conference even took place. It seems that for now, Tor will remain a useful tool for those who wish to keep their online activities secret, for better or worse.

About The Author:

Scott N. Schober is a Cyber Security Expert and the President and CEO of Berkeley Varitronics Systems, Inc., a 40-year-old provider of advanced wireless RF test and security solutions. Scott has overseen the development of numerous cell phone detection tools used to enforce a ‘no cell phone policy’ in correctional, law enforcement, corporate, university, military and secured government facilities.

Teachers Have New Enemy In War On Cheating


Back in the days before the Internet, ethically-challenged students could make a quick buck by selling copied test questions to other students who still needed to take the test. Now students are trading copied tests on the Internet using social media instead of in the hallways.

In the old days, most tests were not standardized so students in one district might take a totally different test than students just a few miles away. The few standardized tests such as the ACT and SAT were given to almost all students within just a few days.

Tests are copyrighted material, and testing companies monitor social media services like Facebook and Twitter using automated software. The software scans user comments, looking for keywords or trigger phrases. Scanning social media for advanced tests such as college admittance and professional licensing exams has been going on for a long time, but social media monitoring for K-12 tests is fairly new.

Adoption of Common Core standards has led to an increase in the number of standardized tests, and changes to the school schedule in some areas has lengthened the testing window significantly. Students in one state might be taking the same test as students in a different state with as much as a month between them. If a student who took the test early shares information about the contents and material it covers, students who take the test later have an unfair advantage.

Test Security and Privacy Concerns

Last month the test publishing company Pearson came under fire for deleting a New Jersey student’s tweet regarding a question on a Common Core test. Pearson also informed the New Jersey Department of Education (DOE), which then contacted the superintendent asking school staff to discipline the student. Parents and Common Core critics blasted the test publisher and the New Jersey DOE, accusing them of spying on students and invading their privacy.

Originally an unnamed state DOE employee indicated the deleted tweet included a link to a picture of the test, but that wasn’t the case. The student’s message did not compromise the test contents.

Pearson issued a statement defending their actions, though they did change their policies regarding matching online accounts to students. Pearson had been matching the names to school rosters, now they are giving the names to the state DOE.

Smartphones, Social Media and Test Security

Even though a cell phone was not involved in this particular incident, they do pose a significant threat to testing integrity. Students use them to cheat by looking up answers, and most smartphones come with social media apps built right in. A few snaps with a smartphone camera can compromise the entire test. Berkeley Varitronics Systems offers tools educators can use to detect and locate cell phones being used in the classroom or before they even get that far. Contact us for more information about maintaining the integrity of your testing environment.

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, government and educational organizations to manage secure facilities and maintain wireless networks.

Why Healthcare Hacking Has Become Big Business


As banks and large retailers have taken steps to harden their networks, hackers have turned their attention to healthcare providers. Just recently, Premera announced a breach that took place last year may have exposed the personal and financial data of approximately 11 million customers. Last month, the nation’s second largest health insurance company reported the information of approximately 80 million people was exposed to hackers in a breach discovered on January 29th.

There are several reasons hackers have focused their attention on healthcare companies, even though companies in the industry don’t usually handle financial transactions.

Healthcare companies keep patients’ personal and financial data. Many patients use online payment options, which means their records may have information such as bank accounts and debit/credit card numbers. Even without financial data, criminals can use personal data to commit crimes such as identity theft and insurance fraud. They can also use email addresses to target patients for phishing scams. While email addresses are easy to change, other information such as names, birth dates, physical addresses and social security numbers are much more problematic if compromised.

Healthcare companies keep and share patient records. As part of the Affordable Care Act, healthcare providers are required to maintain their records electronically and share the data with other healthcare providers. This means if a patient must visit a doctor while on a trip or sees a specialist at another facility, the new doctor can access their records and information. This is important because patients can’t always tell the new provider important details like life-threatening allergies to medications.

Sharing information has real benefits for providers and patients, but it also increases risk of exposure. Because healthcare providers share data, if a criminal uses a patient’s data to obtain prescription drugs, the false prescriptions could become a part of the patient’s record and affect a doctor’s medical decisions in the future. For example, some drugs are incompatible. If a false record shows a patient is taking a drug that is not compatible with the preferred medication, a doctor may be forced to choose a less effective alternative medication.

Healthcare companies are a soft target. Companies in the healthcare industry are more focused on regulatory compliance than security. In the wake of the ACA many small software companies sprang up offering patient record and database software. Some healthcare companies developed their own software, but many opted to purchase off-the-shelf products from these companies. Many have gone out of business or been absorbed into other software companies, leaving the healthcare provider without security updates.

Even when security problems are known and updates are available, they often go for long periods without being patched. WhiteHat Security recently revealed only 24% of known security flaws in the healthcare industry are patched at any given time. Even more troubling, the average length of time for a healthcare site to fix security problems is a whopping 158 days.

Healthcare companies must take steps to harden their networks against hackers. Security breaches can have long-lasting effects on a patient’s financial and physical health.

Learn more about healthcare and other hacking targets. Subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.

These Are Your Must-Have Secure Mobile Messaging App Features



When you send a text or MMS from your phone the normal way, you can’t control what happens to the information once it leaves your device. Wireless carriers are required to save messages for a certain length of time to assist authorities in criminal investigations. The recipient can save the message indefinitely, or send it to someone else without your knowledge or permission.

That means those risqué photos, videos or texts you sent to your significant other could come back to haunt you in the future. There are web sites where people post pictures and messages of a private nature sent by their exes as a form of revenge. Relatively innocuous business-related messages could prove damaging if taken out of context later. Even if you don’t have a disgruntled ex or business partner, the recipient’s device could be lost or stolen, or their cloud accounts hacked.

Several messaging and social media apps have sprung up in response to these security concerns. But how secure are they? Let’s examine the features you should look for in a messaging app that will keep your private messages under wraps.

End-to-End Encryption

Encryption uses a public and private key to encode and decode the messages. A secure messaging app should generate and store the keys on the user’s device, not on a server. The keys should only leave the device by action of the user, such as creating a backup or transmitting them to a new device. This means that even if a company is subpoenaed or required to deliver your private messages to the authorities, they technically cannot.

In-Transit Encryption

Encryption during transmission is important because these apps use a data connection instead of the phone connection. If you or the recipient is on WiFi, the messages could be intercepted and read by a third party. The app should also encrypt stored messages, in case the device is hacked or falls into the wrong hands.

Permanent Deletion

The digital storage on a smartphone works much like a PC’s hard drive. By default when you delete something, the operating system marks the space as available, but doesn’t actually remove the data until something overwrites the space. A secure messaging app should either remove the information completely, or only store the messages in RAM. Some messaging apps automatically delete the messages once they are read or after a specific length of time.

User Friendliness

While this isn’t a security feature in itself, it’s still important. Most secure messaging apps require both parties to be using the same app. If you choose one that isn’t user-friendly, it will be difficult to convince others to join and they may not stay. If you’re choosing a messaging app for business purposes, your employees may be tempted to find their own solution and resort to easier to use but less secure apps instead.

Which Messaging App Should I Use?

Most mass market messaging apps were not designed with security in mind. Apps like Yahoo! Messenger, AIM, Google Hangouts, SnapChat and Viber encrypt messages during transit, but leave them vulnerable to being read at other points.

Of the more popular messaging apps, iMessage and FaceTime are the most secure but are limited to Apple products. On the Android exclusive side, users concerned about security can use TextSecure. Other secure messaging apps such as Cyber Dust, Silent Text and ChatSecure support both platforms.

The best way to decide which app is right for you is to ask your contacts or employees and find out if there is a secure messaging app they are already using. If they are using an app without robust privacy protection, try out a few different apps and determine which one has the features you need the most.

Learn more about texting security features. Subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.