Meta-owned WhatsApp is often working on new updates to roll out to make user experience on the platform smoother and secure. While WhatsApp rolled out the feature to link your account on more than one device ages ago, a new update makes it possible for users to stay connected to their WhatsApp account on four different devices and one smartphone simultaneously. The instant-messaging platform will now allow users to link their WhatsApp account on four devices and a phone, making it easier to stay connected on web and desktop.

All your personal messages, media, calls will stay secure with end-to-end encryption that will work on all your linked devices. "Your personal messages, media, and calls are end-to-end encrypted. Each linked device connects to WhatsApp independently while maintaining the same level of privacy and security through end-to-end encryption that people who use WhatsApp have come to expect," WhatsApp said.

If you do not know where all you have linked your WhatsApp on, then go to your WhatsApp Settings, click on Linked Devices and then review all the devices where you have linked your WhatsApp account. In case you want to remove an account, click on the device mentioned in the list and tap on 'Log Out' option.

The new features related to Group which will start rolling out on WhatsApp globally over the coming weeks.

Read the original post:
Now you can link 4 accounts on WhatsApp & use it even when you're offline, easily discover common groups w - The Economic Times

Security breaches have become increasingly common, with businesses and individuals alike falling victim to cybercriminals. In 2022, there were 1802 data compromises in the US, affecting 422 million individuals through data breaches, leakage, and exposure, all resulting in unauthorized access to sensitive data by threat actors.

Third-party audits have revealed that many of these breaches are the result of common security vulnerabilities that could have been prevented with proper security controls and testing. These vulnerabilities include outdated software, weak passwords, and misconfigured servers, among others.

With so much of our sensitive data being stored and transmitted online, its crucial to follow proper cyber hygiene to minimize the risk of data breaches and cyber attacks.

In this article, well explore some practical tips for dealing with security exploits and vulnerabilities, as well as ways to verify that the services and apps we use are secure.

A security vulnerability refers to a software or system flaw that attackers can exploit for various reasons to gain unauthorized access, disrupt operations, steal data, or inflict other forms of harm. These vulnerabilities can occur at any level of a system, from the operating system and network protocols to individual applications.

Exploits are attacks that take advantage of security vulnerabilities to gain unauthorized access or perform other malicious actions. An exploit is a specific technique or method that an attacker uses to take advantage of a vulnerability.

Exploits can be created for known vulnerabilities, but they can also be zero-day exploits, which are exploits that take advantage of vulnerabilities that are not yet known to the vendor or the public. Zero-day exploits are particularly dangerous because there is no patch or fix available to prevent the attack.

Some of the most dangerous vulnerabilities in companies and organizations that operate in the US include:

Overall, security vulnerabilities represent a significant menace to individuals, organizations, and society at large. It is vital to keep an eye out for possible vulnerabilities and to take proactive measures to prevent their exploitation.

The known vulnerabilities catalog is a comprehensive database with all the known flaws of various software and hardware products. It serves as a critical tool for cybersecurity professionals because it helps them identify, assess, and mitigate vulnerabilities in their organizations.

By referencing the catalog, cybersecurity professionals can identify potential security weaknesses in their organizations software and hardware products.

The catalog is developed and maintained by the Cybersecurity and Infrastructure Security Agency (CISA), a government agency responsible for safeguarding the nations critical infrastructure against cyber threats.

It provides details such as vulnerability descriptions, CVSS scores, and the impact of the vulnerabilities. Finally, the catalog is updated as new vulnerabilities are discovered.

Organizations can utilize third-party audits to identify security vulnerabilities in their systems. Some of the most common security vulnerabilities found by third-party audits include:

Regarding VPN audits, some of the most common security vulnerabilities found by third-party audits include:

Overall, it is important for organizations to conduct regular third-party audits to identify and mitigate security vulnerabilities and to ensure that their systems and applications are secure.

Security vulnerabilities can be spotted through a variety of methods.

Penetration testing, which involves hiring ethical hackers to try and exploit vulnerabilities in a system is one of the best ways to spot security flaws. The results of the testing can reveal any weaknesses in the system.

Vulnerability scanning relies on software to check the system for known vulnerabilities, but its not always as reliable as an expert, so its often used in conjunction with pen testing.

Next up we have code reviews, which just means examining the source code of a system to identify any potential vulnerabilities that could be exploited. This can help identify areas of the system that need to be hardened to prevent attacks.

Bug bounty programs are incentivized programs that reward researchers for finding and reporting security vulnerabilities in a system.

User reports can also report security vulnerabilities they come across while using a system. This can be done through support channels or dedicated security reporting mechanisms.

In general, a combination of these methods is often used to ensure that vulnerabilities are identified and addressed before they can be exploited by attackers.

Disclosure of cybersecurity vulnerabilities is a complex issue and requires a careful consideration of various factors. Here are some general guidelines on when security vulnerabilities should be disclosed:

In general, disclosure of cybersecurity vulnerabilities can help improve the security of the affected software or system, but it should be done in a responsible and coordinated manner to avoid exposing users to unnecessary risks.

Yes, Private Internet Access (PIA) has undergone a third-party audit by Deloitte, one of the Big Four accounting firms. The audit was conducted in 2022 and included a review of PIAs infrastructure, policies, and procedures.

Deloittes audit found that PIAs security controls were suitably designed and implemented to protect user data and maintain the confidentiality, integrity, and availability of its services. The audit also found that PIA had implemented appropriate measures to prevent unauthorized access to user data, such as multi-factor authentication and strong encryption.

Overall, the audit by Deloitte demonstrates our commitment to transparency and accountability of our security practices.

Here are some reasons why a security audit is crucial for a VPN, and for service that handles personal information, for that matter:

A security audit can demonstrate to customers that the service provider takes security seriously and has implemented appropriate security measures to protect their personal information. This can help build trust and confidence in the service.

Security vulnerabilities are a serious threat to individuals, businesses, and society as a whole. With the increasing number of data breaches and cyber attacks, it is crucial to identify and address security vulnerabilities to prevent them from being exploited by attackers.

Using strong passwords, updating software regularly, properly configuring servers, and conducting regular security audits are best practices for cyber hygiene.

Always use services from reputable vendors who prioritize security and are transparent about their security practices. Regular security audits and compliance with industry standards, such as ISO 27001, can also provide assurance that a service provider is committed to security best practices.

A security vulnerability refers to a weakness or flaw in a computer network, application, or system that can be utilized by attackers to gain access without authorization, steal confidential information, or cause damage.

Vulnerabilities may arise due to various factors such as software code errors, incorrect configurations, or inadequate security practices.

There are several factors that can cause security vulnerabilities, including:

Programming errors or bugs in software code Misconfigured or poorly secured systems Failure to apply software patches or updates Human error or negligence Malicious software, such as viruses or malware Weak or easily guessable passwords Lack of security awareness and training

Security vulnerabilities can come in many different forms and their prevalence may depend on the specific situation. Some examples of commonly occurring security vulnerabilities include:

Cross-site scripting (XSS) SQL injection Misconfigured or unsecured servers Insecure passwords or authentication mechanisms Buffer overflows Missing security patches or updates

Managing security vulnerabilities involves a proactive approach to identify, prioritize, and address vulnerabilities in a timely and effective manner.

There are several recommended best practices for managing security vulnerabilities, such as conducting regular vulnerability assessments,penetration testing and monitoring system logs and network traffic for any signs of suspicious activity.

Yes, PIA has undergone a security audit by Deloitte, which reviewed its infrastructure, policies, and procedures to ensure compliance with industry standards for security and privacy.

Deloittes report found that PIAs security controls were appropriately designed and implemented, and that it had measures in place to prevent unauthorized access to user data.

This independent audit demonstrates PIAs commitment to transparency and accountability in its security practices, and its dedication to protecting user privacy and security online.

Read the original post:
How to Deal with Security Vulnerabilities - PIA VPN - Privacy News Online

Protecting data has become a critical part of every organizations operation. However, choosing the best method of data encryption can be difficult with all the available options. Here we discuss the various encryption methods available, the strengths and weaknesses of each, and approaches to simplify data encryption.

Encryption is the transformation of sensitive data (plaintext) into obfuscated data (ciphertext) using a mathematical algorithm and a key. The key is a random set of bits of a given length. To protect the data, the key must be kept secure.

Data encryption can be further broken down into two types, Symmetric and Asymmetric encryption.

In symmetric encryption, the same encryption key is used to both encrypt and decrypt the data. Therefore this single key must be kept confidential by all parties using it.

The most common symmetric encryption algorithm today is advanced encryption standard (AES), known for its security and being widely available.

AES can be deterministic or random. Deterministic means that for a given key and plaintext, the ciphertext is always the same, whereas random means the ciphertext is different every time. Random ciphertext values provide additional security when there are a small number of plaintext inputs, also known as low-cardinality. For example, a persons age is between 0 and 1221 so the cardinality is 123 possible inputs. At one extreme, the cardinality could be two, say the answer to, Has patient been diagnosed with Type II Diabetes, true/false. In that case, a deterministic system is not going to work well because a bad actor would only have to verify one person with or without diabetes and know everybodys situation. However, a random system will have different values for every person providing additional security.

Asymmetric encryption, also known as public key encryption, is a type of encryption that uses two different keys for encrypting and decrypting data. One key, known as the public key, is used for encryption and can be freely shared with anyone, while the other key, the private key, is kept secret and used for decryption. Alternately for digital signatures and authentication use cases, the private key is used to encrypt and the public key decrypts to validate the identity of the key holder.

Asymmetric encryption solves a major challenge with symmetric encryption in that it provides a secure way of exchanging sensitive information over insecure channels, such as the internet, without the need for a shared secret key. This is because only the person with the private key can decrypt the data, even though the public key used to encrypt the data is widely known.

One of the most commonly used examples of asymmetric encryption is the RSA algorithm, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman.

Format Preserving Encryption (FPE) is a type of encryption that allows for the encryption of data while preserving its original format. Unlike traditional encryption, which typically produces ciphertext of fixed length, FPE produces ciphertext that retains the original length and format of the plaintext.

FPE is commonly used in situations where the format of the plaintext data is important, such as credit card numbers, social security numbers, and other types of sensitive data. By preserving the original format, FPE allows for encrypted data to be used in systems and applications that require the same format as the original plaintext data.

In 2016 NIST published SP 800-38G defining FPE. It uses industry standard AES, along with the advantages of performance and security that brings, but the process is modified such that the ciphertext is the same length and format as the plaintext.

FPE has proven to be highly secure and performant with any cardinality of a million or more. This translates to any numerical data (0-9) with six or more digits; so phone numbers, social security numbers, national IDs, drivers licenses, and credit cards easily meet this. Accordingly, most alpha-numeric (0-9, A-Z, a-z) data meets this need with shorter possible length, such as names and addresses. FPE output libraries can consist of numbers (0-9), letters (A-Z, a-z) or both.

Partial FPE is also possible. For example, the social security number 111-22-3333 could be partially obfuscated to 532-58-3333 so that the last four digits can be used by customer support personnel to identify a client.

FPE has recently become the favorite algorithm of choice for most organizations migrating their data to the cloud. It provides assurances that the data will be protected while outside of their network boundaries, but also that it will not break any applications that expect data to be formatted in specific ways.

The one downfall common to traditional data encryption methods is that operations doing math, searches, or sorts cant be done on the ciphertext data. If an organization must do this type of operation but cant allow the sensitive data itself to be decrypted, this is where privacy enhanced computation (PEC) comes into play. Privacy preserving analytics is another term. There are three competing versions.

Homomorphic Encryption is complex math done on the encrypted data to enable mathematical operations. The security has been called into question on this method, but the biggest issue is that it requires so much processing power that performance is slowed by orders of magnitude. As of today, it is mostly impractical.

Secure Multi-party Computation (SMPC) is a procedure where the sensitive data is broken into pieces and shared amongst several parties. The keys or secrets are also broken and distributed amongst the parties. The keys are combined using one of several methods and then the computations are done on all the data pieces in such a way that the results are calculated, but the individual inputs are meaningless. The downside to SMPC is it requires separate functions to act as the parties and do the computations resulting in some additional delay.

Private Enclave applies the concept of performing all memory and processing in a separate and highly secure portion of a computer processor. Intel processors provide this capability, and they call it SGX. The encrypted data goes in, it is decrypted and processed, then only the results are sent out. One downside to SGX is that distributed computing cant be done since everything is confined to a single enclave. Additionally, your database processors all have to be Intel with SGX capabilities. Finally, several vulnerabilities in SGX have been found. Though this is true of every computing device and application and it is why patching and updates are part of all security practices.

Baffle implements PEC in database user-defined functions (UDF). Similar to SGX, UDFs allow operations on encrypted data by processing it within the UDF. Even the DBA isnt able to access the decrypted data with this method. This has proven to be the best combination of security and performance.

Data encryption has become essential in safeguarding sensitive information for organizations of all sizes. The available encryption types include symmetric and asymmetric encryption, each with its own strengths and limitations. Symmetric encryption is faster and more efficient than asymmetric encryption, but it requires secure key management, while asymmetric encryption provides secure key distribution, making it highly scalable. Format Preserving Encryption (FPE) is a new type of encryption that preserves the original format of the plaintext, making it ideal for sensitive data like credit card numbers and social security numbers. With FPE, organizations can now protect their data in the cloud without compromising their applications data format, making it the algorithm of choice for most organizations migrating their data to the cloud.

Ideally, organizations should look for data encryption solutions that provide simplicity in deployment and management. Baffles solution uses a unique approach that does not require any application code to be modified, and simplifies management from a centralized console. Learn more here.

The post Data Encryption Methods and their Advantages and Disadvantages appeared first on Baffle.

*** This is a Security Bloggers Network syndicated blog from Baffle authored by Billy VanCannon, Director of Product Management. Read the original post at: https://baffle.io/blog/data-encryption-methods-and-their-advantages-and-disadvantages/

Read more:
Data Encryption Methods and their Advantages and Disadvantages - Security Boulevard

from the don't-make-me-tap-the-sign dept

The UK government is entertaining even more plans to undermine (or actually outlaw) end-to-end encryption. And its not gaining any support from the multiple services (and multiple people) these efforts would harm.

Both Signal and Proton have made it clear theyll pull their services rather than weaken their encryption to comply with UK government demands. WhatsApp is saying the same thing telling the UK government something it has already told it at least twice.

In 2017, WhatsApp made an unofficial announcement of its policies when UK law enforcement showed up with a demand to compel decryption of a targeted account. WhatsApp refused to comply and the UK government apparently decided not to press the issue. At least not directly.

Five years later, the UK government is still hammering away at encryption, adding more mandates to its steadily simmering Online Safety Bill. And WhatsApp told the UK government what it told it back in 2017: breaking encryption just isnt an option. (In the form of a lawsuit challenging an Indian law, WhatsApp said the same thing to the Modi administration and its series of rights-violating internet-related laws.)

Another year has passed and the UK government still wants to get the Online Safety Bill passed. And, once again, Meta has surfaced to tell the government that it can pass all the laws it want, but none of them will force WhatsApp to undermine its encryption.

WhatsApp would refuse to comply with requirements in the online safety bill that attempted to outlaw end-to-end encryption, the chat apps boss has said, casting the future of the service in the UK in doubt.

Speaking during a UK visit in which he will meet legislators to discuss the governments flagship internet regulation, Will Cathcart, Metas head of WhatsApp, described the bill as the most concerning piece of legislation currently being discussed in the western world.

The UK government doesnt have any leverage here. WhatsApp will simply stop offering its service in the UK. As Cathcart points out, 98% of its users reside in other countries. And theres no reason it should put all of its users at risk, just because the home to 2% of its user base is being stupid about end-to-end encryption.

Now, that 2% would probably like to have access to an encrypted messaging service, whether its WhatsApp, Signal, or Protons offering. Unfortunately for them, supporters of the bill dont want them to have these options. But thats not going to work out well for the government. Angering constituents tends to shift the leverage back their way, which means legislators are pushing a terrible bill from a position of weakness.

The potential for hefty fines only makes it more likely service providers will exit this market rather than give the government what it wants.

Under the bill, the government orOfcomcould require WhatsApp to apply content moderation policies that would be impossible to comply with without removing end-to-end encryption. If the company refused to do, it could face fines of up to 4% of its parent company Metas annual turnover unless it pulled out of the UK market entirely.

If the options are providing a weakened service that harms all users or shelling out 4% of its income on a regular basis, the option these legislators failed to consider is really the only intelligent option: exiting the market.

And when that starts happening, the government is going to get an earful from the people it never bothered to listen to in the first place: domestic users of services these legislators are actively trying to destroy.

Filed Under: encryption, online safety bill, ukCompanies: meta, whatsapp

See the rest here:
WhatsApp Tells UK Government It's Still Not Willing To Undermine ... - Techdirt