Facebook Hacker received $33,500 reward for Remote code execution vulnerability

Facebook has paid out its largest Bug Bounty ever of $33,500 to a Brazilian security researcher for discovering and reporting a critical Remote code execution vulnerability, which potentially allows the full control of a server.

In September, 'Reginaldo Silva' found an XML External Entity Expansion vulnerability affecting the part of Drupal that handled OpenID, which allows attacker to read any files on the webserver.

As a feature, Facebook allows users to access their accounts using OpenID in which it receives an XML document from 3rd service and parse it to verify that it is indeed the correct provider or not i.e. Receives athttps://www.facebook.com/openid/receiver.php 

In November 2013, while testing Facebook's 'Forgot your password' functionality, he found that the OpenID process could be manipulated to execute any command on the Facebook server remotely and also allows to read arbitrary files on the webserver.

In a Proof-of-Concept, he demonstrated that how an attacker can read the content of 'etc/passwd' file from Facebook's server just by manipulating the OpenID request with malicious XML code, and in order to extract the essential login information such as system administrator data and user IDs.

"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a [remote code execution] and then work on it while it was being fixed," he said.

After receiving bug reports from Silva, the Facebook Security team immediately released a short term patch within 3.5 hours, described as: 

"We use a tool called Takedown for this sort of task because it runs on a low level, before much of the request processing happens. It allows engineers to define rules to block, log and modify requests. Takedown helped us ensure this line of code ran before anything else for any requests hitting /openid/receiver.php."

The Facebook team determined that the vulnerability could have been escalated to a remote code execution issue, and rewarded Silva accordingly after patching the flaw.

Update: Facebook has accepted the flaw as Remote code execution (RCE). In a post Facebook said, "We discussed the matter further, and due to a valid scenario he theorized involving an administrative feature we are scheduled to deprecate soon, we decided to re-classify the issue as a potential RCE bug".

Converting Google Chrome into a Bugging Device by exploiting Speech Recognition feature

 

  356  227 Reddit10 Buffer2  18

How many of you use Google Chrome for surfing the Internet and feel safe while working on it? I think many of you. Chrome is one of the most trusted Web Browsers that provide a user friendly environment and cyber security, but this we all know that every product has its negative side too, and so has Google’s Chrome.

Chrome has a 'Voice Recognition' feature, that use your system's microphone and allows you to speak instead of typing into any text box, to make hands-free web searches, quick conversions, and audio translator also work with them.

Google’s browser is also not immune to bugs and this time the new bug discovered in Chrome is capable to listen and record your whole private conversations without your knowledge, by abusing the voice recognition feature.

While working on ‘Annyang’, a voice to text software for websites, the web developer 'Tal Ater'discovered a vulnerability that can be exploited and lets malicious sites to turn your Google Chrome into a listening device, that can record anything said around your computer, even after you’ve left those sites.

Whenever a user visits a speech recognition site that offers them to control the site by using their voice with speech recognition software, the Chrome asks permission to use a microphone, the user accepts. Chrome shows an icon in the notification area that your microphone is on which suppose to be turned off when you close that tab or visit another site.

All a malicious site has to do is get you to enable voice control for any legitimate purpose and shoot out a pop-under window disguised as an ordinary ad, to keep your microphone 'ON'. As long as it remains open, every noise you make will be uploaded to the hacker's server without asking any permission.

He also explained that just by using secure HTTPS connections don’t mean that the site is safe. Once you give the permission to access your microphone for the HTTPS site, Chrome will remember and won’t ask your permission again for that site.

Chrome Speech Recognition Exploit Demo

<iframe width="640" height="360" src="//www.youtube.com/embed/s5D578JmHdU?feature=player_embedded" frameborder="0" allowfullscreen></iframe>

He reported the flaw to the Google security team in late September, 2013; they accepted the loophole, but never released the update to the desktop users.

A few weeks later, Tal Atar asked the Google Security Team about the reason for the delay in patch delivery, and they replied, “we are waiting for the web’s standards organization, the W3C group to agree on the best course of action”, and so your browser is still vulnerable.

After the public release of POC, the Google spokesperson said, "We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements."

He has published the source code for the exploit to encourage Google to fix it and to maintain users' Internet security.

Microsoft remotely deleted Tor-based 'Sefnit Botnet' from more than 2 Million Systems

In October 2013, Microsoft adopted a silent, offensive method to tackle infection due to a Tor-basedbotnet malware called 'Sefnit'.

In an effort to takedown of the Sefnit botnet to protect windows users, Microsoft remotely removes the older versions of installed Tor Browser software and infection from 2 Million systems, even without the knowledge of the system's owner.

Last year in August, after Snowden revelations about the National Security Agency's (NSA) Spying programs, the Internet users were under fear of being spied. During the same time Tor Project leaders noticed almost 600% increase in the number of users over the anonymizing networks of Tor i.e. More than 600,000 users join Tor within few weeks.

In September, researchers identified the major reason of increased Tor users i.e. A Tor-based botnet called 'Sefnit malware', which was infecting millions of computers for click fraud and bitcoin mining.

To achieve the maximum number of infections, cyber criminals were using several ways to spread their botnet. On later investigation, Microsoft discovered some popular softwares like Browser Protector andFileScout, bundled with vulnerable version of Tor Browser & Sefnit components.

'The security problem lies in the fact that during a Sefnit component infection, the Tor client service is also silently installed in the background. Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network.'

It was not practically possible for Microsoft or the Government to instruct each individual on 'How to remove this Malware', so finally Microsoft took the decision of remotely washing out the infections themselves. 

To clean infected machines, Microsoft began updating definitions for its antimalware apps.

"We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline." and later also in Malicious Software Removal Tool.

But why Tor Browser?

"Even after Sefnit is removed, unless specific care is taken, the Tor service will be left and still regularly connect to the Tor Network. This is a problem not only for the workload it applies to the Tor Network, but also for the security of these computers." Microsoft says.

So they removed it and to Justify their action, Microsoft points out several vulnerabilities in the Tor version bundled with Sefnit malware i.e. Tor version 0.2.3.25, that opens the user to attack through these known vulnerabilities.

"Tor is a good application used to anonymous traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release builds at the time of writing is v0.2.4.20."

May be this is the right way to neutralize the infections, but the Microsoft's action also clarifies the capability to remotely remove any software from your computer.

Nicholas J. Hopper from University of Minnesota, provided a detailed explanation about 'Protecting Tor from botnet abuse in the long term' in a paper.

First Ever Windows Malware that can hack your Android Mobile

Hey Android users! I am quite sure that you must be syncing your Smartphone with your PCs for transferring files and generating backup of your device. 

If your system is running a windows operating system, then it’s a bad news for you. Researchers have discovered a new piece of windows malware that attempts to install mobile banking malware on Android devices while syncing.

Last year in the month of February, Kaspersky Lab revealed an Android malware that could infect your computer when connected to Smartphone or tablets.

 

Recently, Researchers at Symantec antivirus firm discovered another interesting windows malware called ‘Trojan.Droidpak’, that drops a malicious DLL in the computer system and then downloads a configuration file from the following remote server:

http://xia2.dy[REMOVED]s-web.com/iconfig.txt

The Windows Trojan then parses this configuration file and download a malicious APK (an Android application) from the following location on the infected computer.

%Windir%\CrainingApkConfig\AV-cdk.apk

To communicate with the mobile device a command line tool Android Debug Bridge (ADB) is required, that allows the malware to execute commands on Android devices connected to the infected computer. ADB is a legitimate tool and part of the official Android software development kit (SDK).

In the next step, the trojan downloads all the necessary tools including Android Debug Bridge and the moment you connect an android device having USB debugging Mode enabled, it initiates the installation process and repeats it until it ensure that the connected device has been infected and install an app that will appear as a fake Google App Store.

Such Windows Malware is first of its own kind, since attackers prefer to use the social engineering techniques to spread their fake malicious apps hosted on third-party app stores. The installed malware dubbed as "Android.Fakebank.B", able to intercept victim's SMS messages and then send them to the attacker's server located at:

http://www.slmoney.co.kr[REMOVED]

Anyway Relax, if you are not a Korean citizen, because the malicious APK actually looks for certain Korean online banking applications on the compromised device.

If you want to protect your Mobile and system from such Malware attack, Please consider a few points while connecting to a windows based computer:

• Turn off USB debugging on your Android device, when you are not using it
• Avoid connecting your droid with public computers
• Only Install reputable security software
• Keep your System, Softwares and Antivirus up-to-date.

Stay Safe!

Google announces $2.7 million Reward for hacking Chrome OS at Pwnium Contest

Pwnium is the annual Hacking competition where Google invites coders from around the world to find security holes in Google Chrome.

Google has announced its 4th Pwnium Hacking Contest hosted at the Canadian Security conference in March, offering more than $2.7 million in potential rewards for hacking Chrome OS-running ARM and Intel Chromebook.

This year the security researchers have a choice in between an ARM-based Chromebook, the HP Chromebook 11 (WiFi) and the Acer C720 Chromebook (2GB WiFi) based on Intel's Haswell microarchitecture.

The attack must be demonstrated against one of these devices running "then-current" stable version of Chrome OS.

"Security is a core tenet of Chromium, which is why we hold regular competitions to learn from security researchers. Contests like Pwnium help us make Chromium even more secure," Jorge Lucángeli Obes, Google Security Engineer said.

Amongst the payouts are $110,000 for the browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page.

Google will also pay USD 150,000 for providing an exploit, able to persistently compromise an HP orAcer Chromebook, i.e. hacking the device to retain control even after a reboot.

Google further revealed that it will be giving out bonuses to all those who come up with an impressive exploit to defeat kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process. The full exploit must be given to Google with explanations for all individual bugs used.

"To register, email pwnium4@chromium.org. Registration will close at 5:00 p.m. PST Monday, March 10th, 2014. Only exploits demonstrated on time in this specifically-arranged window will be eligible for a reward."

The earlier editions of Pwnium competitions focussed on Intel-based Chrome OS devices, and Google had paid out $50,000 to a prolific hacker who goes by "Pinkie Pie," for an exploit.

Do you think you are up to the task? Gear up your keyboards & Give it a try!

Cisco Routers vulnerability still unfixed

In the first week of this year, we have reported about a critical vulnerability found in more than 2000 Routers that allow attackers to reset the admin panel password to defaults. Recently, Cisco has released a security advisory, detailed about the similar vulnerability affecting their three networking products. Cisco has rated the flaw highly critical and marked it as 10.0 on the Common Vulnerability Scoring System (CVSS). A security researcher found a secret service listening on port 32764 TCP, allowed a remote user to send unauthenticated commands to the device and reset the administrative password. Successful exploitation of the vulnerability allows the hacker to execute arbitrary commands on the device with escalated privileges. Vulnerable Cisco products are: WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security. "This vulnerability is due to an undocumented test interface in the TCP service listening on port 32764 of the affected device. An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges." Similar backdoor is also present in multiple devices from Cisco, Netgear, Belkin and other manufacturers, according to the security researcher, Eloi Vanderbeken. He has also released a Python based exploit script to automate the exploitation. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0659. Cisco has not yet patched the bug, but it is promising to do so by the end of this month.

100,000 Refrigerators and other home appliances hacked to perform cyber attack

Have you given shed to Zombies in your house? No???? May be you have no idea about it. After Computers, Servers, Routers, Mobiles, Tablets…. Now its turn of your home appliances to be a weapon or a victim of cyber war. Recently Security Researchers from Proofpoint found more than 100,000 Smart TVs, Refrigerator, and other smart household appliances compromised by hackers to send out 750,000 malicious spam emails. As the ’Internet of Things’ becoming smart and popular it became an easy weapon for cyber criminals to launch large scale of cyber attacks. “The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide." Previously, such attacks were only drafted theoretically by researchers, but this is the first such proven attack involved smart household appliances that are used as 'thingBots'- Thing Robots. Like your personal computers can be unknowingly compromised to built a huge botnet network that can be used to launch cyber attacks, in the similar way your Smart Household Appliances and other components of the "Internet of Things" can be transformed into slaves by the cyber criminals. The worst thing with these smart appliances is that it can be easily approached by cyber criminals due to its 24 hour availability on the Internet with an add-on of poorly protected Internet environment i.e. Poor misconfiguration and the use of default passwords. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. No more than 10 emails were initiated from any single IP address, making the attack difficult to block based on location -- and in many cases, the devices had not been subject to a sophisticated compromise; instead, misconfiguration and the use of default passwords left the devices completely exposed on public networks, available for takeover and use.” Now it seems that we have 100's of cyber weapon in our home or in another way 100's of vulnerable dynamites living with us. This time it has been just a spam mail attack, but answer me.. How much damage could a group of well-trained hackers do, economic and otherwise, if they really wanted to? Reply us your views in the comment box (below). Stay with us, Stay Safe!

How to encrypt your files before uploading to Cloud Storage using CloudFogger

In this Internet savvy generation, we want all of our data to be secured at some place. Having backups of your data is always a good idea, whether that data is stored in the Cloud or on your computer. But everyone who is following the Edward Snowden leaks of the NSA's PRISM program now pushed to hardening their Mobile devices and computers for security, privacy, and anonymity. There are many Free Cloud storage providers including Google Drive, Dropbox, Box, RapidShare, Amazon Cloud Drive, Microsoft SkyDrive and many more. These services have a limitation that all data is unencrypted, or even if it is encrypted, the encryption keys are still generated by the company's software, meaning the company still has an access to your data. So as an end user, we must think about the security and privacy of our data. We should first encrypt our files on the system level and then upload a copy of it on the cloud storage. For this a robust and highly user friendly tool called CloudFogger is available at free of cost and for using it you even need not to be a GEEK. It provides encryption of 256 bit AES for your files. Easy to Install and Easy to use: Follow the steps to crypt your files using CloudFogger: Step-1: Download and Install CloudFogger from its website. Open and create an account first: Step-2: Select the folder you are using for syncing with cloud storage (Google Drive, Sky Drive, and Dropox etc.) Step-3: Now you just need to drop your files into that folder. A Small Green overlay-symbol will appear on your files, i.e. Your files are now encrypted and ready to upload/sync with your Cloud storage account. That's it! The New file extension for all encrypted files will be ".cfog", that can be accessed only if decrypted using your own CloudFogger keys. You can also encrypt documents manually, just by right clicking it, select cloudfogger->Fogg file(s) and you can access the file yourself using a virtual drive created by cloudfogger without decrypting each file. This client-side encryption ensures that nobody will be able to access your protected documents and files without your password. RSA private keys are stored on the Cloudfogger server to allow convenient installation of the product on several devices, but all keys are again encrypted with 256 bit AES based on the user's password and the company claims that user passwords will be never ever transmitted to their Cloudfogger servers. Each file uses its own, unique AES key, that allows sharing files with different people, so you can add the email addresses of your friends, if you want them to allow decrypt your private document, image or etc. For most users, finding a truly protected Cloud service can be a challenge, as many services obviously have security gaps that leave data wide open to third party attacks, leaks, or hacking. CloudFogger is an application available for Windows, Mac, Andoird, iOS. There are many more similar tools and services that are available i.e. SpiderOak, Mozy, Carbonite, IDrive or BoxCryptor and many more. However, CloudFogger is not an open source software, so there is an alternate available called "CryptSync", which is an open source tool for encrypting the files before uploading to cloud server and it also does not store your files on the developer’s server like CloudFogger. This way, even if programs like NSA's PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. Also, read my previous article on, "How to Encrypt Your Emails against an invasion of privacy by NSA".

PGP Inventor announced encrypted PrivatOS based #BLACKPHONE against NSA surveillance

Mobile security may not be secure as you think. In September we have reported that the National Security Agency has the ability to access data on iOS, Android and even BlackBerry devices. Everyday a new revelation of NSA Surveillance Program makes Security and Privacy a major concern for all of us. Today we feel the need of highly secured Networks and Encrypted Devices to safeguard our privacy from Cyber Criminals as well as Government. Phil Zimmerman, Inventor of the email encryption tool PGP and Silent Circle's Co-founder (company specializes in mobile privacy and peer-to-peer encryption) has announced 'BLACKPHONE', a Smartphone that’s been designed to enable secure, encrypted communications, private browsing and secure file-sharing. The company will launch BLACKPHONE in the 'Mobile World Congress', Spain next month, offers ‘PrivatOS’, an Android based operating system which will allow users to make and receive secure phone calls, exchange secure texts, encrypted file storage, secure video chat, browse privately, and anonymize your activity through a VPN (virtual private network). Phill Zimmermann said: “I have spent my whole career working towards the launch of secure telephony products, Blackphone provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end Smartphone features they have come to expect.” From Blackphone website: “Blackphone is unlocked and works with any GSM carrier. Performance benchmarks put it among the top performers from any manufacturer. It has the features necessary to do all the things you need, as well as all the things you want, while maintaining your privacy and security and giving you the freedom to choose your carrier, your apps, and your location. The tools installed on Blackphone give you everything you need to take ownership of your mobile presence and digital footprints, and ensure nobody else can watch you without your knowledge.” BLACKPHONE is not the first Smartphone that secures your communications with dedicated encryption technology, we have also seen GSMK CryptoPhone with similar features. But the best part is that company will make 'PrivatOS' open source, so that anyone can verify its authenticity. Just a few days back, The Inventor of JavaScript & current CTO of Mozilla, Brendan Eich also suggested to trust only Open Source softwares. The Silent Circle had decided to shut down its secure e-mail service last year to prevent the NSA spying, and now the company is also working on a more secure service called Dark Mail. These Blackphone will be available for pre-order from February 24, 2014, but pricing details aren’t available at this time.

Samsung KNOX - An Encrypted Virtual Operating system for Android Devices

Last year Samsung launched a security feature called 'KNOX' for high-end enterprise mobile devices. It's a nice security addition and free with new Samsung handsets such as the Galaxy Note 3 and Samsung Galaxy S4. Samsung Knox is an application that creates a virtual partition (container) within the normal Android operating system that allows a user to run two different Android systems on a same device, so that you can securely separate your personal and professional activities. KNOX based virtual operating system of your phone requires a password to be accessed and helps you to securely store data that they're especially concerned about, such as personal pictures and video, in protected containers that would be resistant to hacking attempts on stolen devices. You can switch between Knox mode and personal mode using shortcuts in the app tray and notification tray. All the data and applications stored in the KNOX container system are completely isolated from the rest of the operating system. No application or process inside the container can interact or communicate with any process outside of it and vice-versa. Other than this, all the files within the KNOX container are encrypted using the Advanced Encryption Standard (AES) cipher algorithm with a 256-bit key. It also allows the ability to configure and manage a virtual private network for the device on a per-app basis. Samsung's reply to recently reported KNOX vulnerability: Last month a team of researchers at Israel's Ben-Gurion University reported a vulnerability in Samsung’s KNOX software, that could allow malicious software to track emails and record data communications or in other words, an attacker can easily intercept the secure data of Knox users. i.e. a classic Man in the Middle (MitM) attack. Samsung has responded with an official statement defending its new security feature and according to them, "This research did not identify a flaw or bug in Samsung KNOX or Android". MITM attack is possible at any point on the network to see unencrypted application data and this is also applicable to other normal operating systems. It is already known to us that, Interception is possible if an application is not using SSL/TLS encryption to protect incoming or outgoing data. So this is not KNOX's weakness, rather this is because of the insecure application development. KNOX provides built-in VPN and support for third-party VPN solutions to protect data. "Use of either of those standard security technologies would have prevented an attack based on a user-installed local application." Samsung said. Samsung claimed that KNOX currently offers several protective options to encrypt data i.e Mobile Device Management, Per-App VPN, and FIPS 140-2 etc. More details on these options are available on Samsung's website. I must say, Even if you are not required for security reasons to use Knox, it could be worth using it anyway in order to keep your personal and work data separate. How to get KNOX for your Android Mobile? KNOX isn’t available as an. APK or a download from the Play Store, neither it comes pre-installed on Samsung handset. Your device must support its Virtualization technology at the hardware level. To get KNOX, you just need to first update your Samsung device to Android 4.3 and then it will automatically install Samsung Premium Suite, which will add KNOX support.

MIT university website defaced by Anonymous hackersin honor of Aaron Swartz

Today is January 11, 2014 and the last year on the same day a 26-year-old, young hacker, Reddit cofounder and the digital Activist, Aaron H. Swartz committed suicide. He found dead in his Brooklyn, New York apartment, where he had hanged himself. Swartz was indicted by a federal grand jury in July 2011, accused of hacking the MIT JSTOR database and stealing over four million documents with the intent to distribute them. He could have prison for 50 years and $4 million in fines by the Court, but before that he committed suicide in fear. Swartz's father, Robert, later blamed the MIT and the judiciary system for his son's death. On the first Anniversary of Aaron Swartz, today the Anonymous group of hackers defaced the sub-domain of the Massachusetts Institute of Technology (MIT) website (http://cogen.mit.edu/) for about an hour as part of #OPLASTRESORT. Defacement page was titled 'THE DAY WE FIGHT BACK'. The message posted on it, “Remember The Day We Fight Back, Remember. We Never Forget, We Never Surrender, Expect Us.” MIT website hacked to pay tribute to Aaron Swartz At the time of writing, the domain was down. The attack on the website of MIT is a part of the tragic suicide of hacker Aaron Swartz to give him tribute.

Yahoo Mail turns on HTTPS encryption by default to protect users

After the release of NSA Secret spying over Internet communications, I am expecting from all tech companies to make surveillance significantly harder. Yahoo has HTTPS encryption support since late 2012, but users had to opt in to use the feature. Documents revealed by the Edward Snowden shows that the NSA secretly accessed data from several tech giants, including Yahoo, by intercepting unencrypted Internet traffic in a program called Muscular. As promised back in October 2013, Yahoo has finally enabled the HTTPS connections by default for their users, that will now automatically encrypts the connections between users and its email service. Jeff Bonforte, senior vice-president of communication products at Yahoo announced in a blog post: It is 100% encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail. HTTPS by default is really a good news for Yahoo users, that will defend them against the man in the middle attacks, but still this is not enough to protect users from NSA breach. Ivan Ristic, Security researcher at Qualys told ITworld that some of the Yahoo's HTTPS Email servers use RC4 as the preferred cipher with most clients, which is weak in nature. Also other servers, including login.yahoo.com, primarily use the AES cipher, which are vulnerable to BEAST and CRIME attacks. The new enhancement will now boost-up the privacy and security for Yahoo users, whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP. Other major webmail providers, including Gmail has already added HTTPS by default from last few years.

Learn to Encrypt Your Emails against an invasion of privacy by NSA

Now that we have enough details about how the NSA's Surveillance program, running for a long time against almost each country of this planet. Hundreds of top-secret NSA documents provided by whistleblower Edward Snowden already exposed that Spying projects like PRISM and MUSCULAR are tapping directly into Google and Yahoo internal networks to access our Emails. NSA's tactics are even capable to defeat the SSL encryption, so unsecured email can easily be monitored and even altered as it travels through the Internet. One major point on which all of us are worrying is about the privacy of communication among each other and If you're looking for a little personal privacy in your communications you will need to encrypt your messages. To avoid privacy breaches; rather I should say to make it more difficult for the NSA or British GCHQ surveillance program to read our communication, we should use PGP encryption (Pretty Good Privacy). Why we should Encrypt our Emails? Each public mail service provider sends information from sender to recipient like a postcard which has a recipient’s address and the content to be conveyed; and is open to the medium used for sending the card. Encryption is an envelope of the content of the document to be sent and leave the recipient’s address open so that it can reach to the destination. So by encrypting your mail, even if any mail service provider is keeping a record of all mails, you need not to worry that your document is being read by third person neither by NSA people. Encrypting your email may sound daunting, but it's actually quite simple. We are going to use something called GNU Privacy Guard (GnuPG) or Gpg4win (Windows).   Installation Step 1: Download the Gpg4win on windows machine and install it. Step 2: Go ahead and after successful installation, close the window. Generating your PGP pair key: Step 3: Now open Kleopatra tool (A GUI GPG Key Manager) to create a new asymmetric key pair (public & private). Click on File -> New Certificate. Step 4: In the key generation wizard, click on "Create a personal OpenPGP key pair" and in the next window enter your basic details: Step 5: In the next window, once review your details and click "Create Key". It will prompt you for entering a passphrase. Set a strong password and confirm it once again in the next window. Step 6: Within a few seconds (depending on your system speed), Your Key pair will be generated (as shown). Step 7: You should "Make a backup of your file pair" somewhere safe. You can also export the public key to the public directory by clicking on the Upload Certificate to Directory Service. Step 8: Once done, the key manager main interface will show your certificate as shown: Step 9: Select your newly generated certificate -> Right click -> click on Export Certificates to save your Public keys on the desktop. You will have to exchange your public keys with whom you want to make secure communication via mails. Many people post their public keys to their personal websites. You can send it as attachments to everyone you email, just so they have them. Once your friends will have your Public keys, they can import it Kleoptra software via 'Import Certification' option from the menu. Composing an encrypted email: Step 1: Open Outlook -> Compose a new mail and write the recipient’s address, Subject and your message. Step 3: If you also want to attach some files to this encrypted email, then under GpgOL menu, click Encrypted File and select the file to be attached and SEND mail. When you or the recipient will receive the encrypted mail, one should first decrypt it using private keys. Step 4: Under GpgOL menu, click on 'Decrypt' to convert the email into readable form. To proceed, It will ask for the secret passphrase entered at the time of creation of key pair. That's it! Other than Outlook you can also use various desktop email clients (Thunderbird or Postbox) or web mail, that also support PGP encryption. You can import your key pair to other software also in order to manage the same account. Final Note - Unauthorized access to your email by hackers, identity thieves, your ISP, and government surveillance and censorship agencies can have disastrous consequences. If you really care about your online privacy, I am sure you will definitely like this article. Stay tuned to 'The Hacker News' for more informative article and the latest updates from Hacking World.