What is a backdoor?
By definition: «Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data,» either the backdoor is in encryption algorithm, a server or in an implementation.
Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that «could allow» an attacker, and of course the company itself, to intercept your encrypted communication.
The story involving the world’s largest secure messaging platform that has over a billion users worldwide gone viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp.
Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited 🙂
What’s the Issue:
The vulnerability relies on the way WhatsApp behaves when an end user’s encryption key changes.
WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change.
In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding.
Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that » we were previously aware of the issue and might change it in the future, but for now it’s not something we’re actively working on changing. »
What Experts argued:
According to some security experts — «It’s not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration. »
Open Whisper Systems says — «There is no WhatsApp backdoor,» «it is how cryptography works,» and the MITM attack «is endemic to public key cryptography, not just WhatsApp. »
A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — «The Guardian’s story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor. »
What’s the fact:
Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats.
What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed.
Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, «Even though we are the creators of the encryption protocol supposedly «backdoored» by WhatsApp, we were not asked for comment. »
What? «…encryption protocol supposedly «backdoored» by WhatsApp…» NO!
No one has said it’s an «encryption backdoor;» instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption.
As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It’s one of the most secure encryption protocols if implemented correctly.
Then Why Signal is more Secure than WhatsApp?
You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — «WhatsApp has no backdoor. »
It’s because there is always room for improvement.
The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender.
And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered.
So, here WhatsApp chose usability over security and privacy.
It’s not about ‘Do We Trust WhatsApp/Facebook?’:
WhatsApp says it does not give governments a «backdoor» into its systems.
No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users.
But what about state-sponsored hackers? Because, technically, there is no such ‘reserved’ backdoor that only the company can access.
Why ‘Verifying Keys’ Feature Can’t Protect You?
WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number.
But here’s the catch:
This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this.
WhatsApp Prevention against such MITM Attacks are Incomplete
WhatsApp is already offering a «security notifications» feature that notifies users whenever a contact’s security code changes, which you need to turn on manually from app settings.
But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense .
Have you received a notification indicating that your contact’s security code has changed?
Instead of offering ‘Security by Design,’ WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually.
The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys.
What WhatsApp should do?
Without panicking all one-billion-plus users, WhatsApp can, at least:
Stop regenerating users’ encryption keys so frequently (I clearly don’t know why the company does so). Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users.
…because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it.

© Source: http://feedproxy.google.com/~r/TheHackersNews/~3/l2HP8JPOjQE/whatsapp-backdoor-encryption.html
All rights are reserved and belongs to a source media.

Your personal brand isn’t just a buzz phrase. It’s the unique combination of skills, experience, passion and personality that makes you exactly the right fit for your dream job. Building a personal brand means going beyond simply regurgitating your resume across multiple platforms, says Gianna Scorsone, vice president of marketing and sales operations at IT staffing and recruiting firm Mondo.
«Developing a personal brand is all about standing out — you’re not going to do that if you’re just posting your resume in a bunch of different places. That’s a tactical approach that only highlights what you can do, not who you are and what your value is to an organization. You need to provide layers of different, personalized information to show that you’re results-oriented, that you can deliver ROI and that you have passion and drive that will be invaluable to a potential employer,» says Scorsone. Thankfully, creating and showcasing your personal brand is easier than ever.
When working with job seekers, Scorsone says she finds herself recommending specific tools that will help her clients move beyond the tactical and into the strategic when polishing their personal brand. Here, she shares those six tools that can help job seekers land that perfect role.
GitHub is an online software version control tool, at its heart, but it’s really so much more, says Scorsone. It’s also a social coding platform that can serve as an online code portfolio for developers to showcase their work and highlight their talents, she says, and developers can include links to their portfolio within job applications or on their personal websites.
Behance is a platform for creative professionals, including graphic designers, and UX/UI developers. You can manage and maintain a portfolio and share your work publicly with recruiters and hiring managers to showcase your skills.
The old standby is still a great way to successfully promote your professional brand, but make sure you’re constantly optimizing the content you add to your profile, keep it clean and free from clutter and only include your best or most relevant work experience, Scorsone says. «One of the most common mistakes I see on LinkedIn is candidates just reposting their resume. You have to go beyond that to create a brand, build a network and engage with those connections on the platform,» she says.
JibberJobber is an excellent resource to help keep track of those important network connections and note how they’ve helped you, Scorsone says. «Using this tool to organize your top professional contacts allows you to easily tap these individuals for testimonials or references that can then be added to your website or LinkedIn profile,» she says.
Squarespace lets job seekers create their own website, which is a great way to improve your professional brand and create a platform solely dedicated to showcasing your experience, says Scorsone. «Squarespace is designed to help you build an online portfolio and it’s really great even for folks who don’t have technical ability; it removes the stress of having to create a website from scratch with user-friendly templates,» she says.
Dunked is an online platform where business professionals can create and host an online portfolio for a small monthly fee, Scorsone says. However, it’s definitely geared toward professionals with visual and artistic experience, so it’s the perfect platform for developers, designers and/or engineers, she says.

© Source: http://www.computerworld.com/article/3157557/it-skills-training/6-tools-to-help-boost-your-personal-brand.html
All rights are reserved and belongs to a source media.