Windows 10 : Privacy issues that Lenovo write a few days ago

Lenovo on STARTING TO USE WINDOWS 10.  The manual gives a elaborative tutorial of basic use of Windows 10 and its features.

By downloading Windows 10 you are allowing Microsoft to spy on you

Window 10 has finally arrived on many users PC/Laptops and they must be busy exploring the Microsoft’s latest offering. There are a lot of things users of Windows 10 should be aware of, and one of them is privacy while other is understanding the features of Windows 10.

We had already warned you that Windows 10 Technical Preview, when it was launched, was a keeping track of everything the beta tester did within the operating system. However as it was a TP, Microsoft had a right to know about the behaviour of its operating system through user feedback before the final product launch.

But now, Microsoft has released the final version of Windows 10 and it has come out with a brand new Privacy Policy and Service Agreement which users should carefully read to know about the implications of privacy if they use Windows 10.

The Privacy Policy will go into effect from 1st August and here are a few controversial points which you should know about.

First of all by downloading and installing Windows 10, you give Microsoft very broad power to collect things you do, say and create while using its software. The data collection is quite ambiguous but one thing is certain, Windows 10 will be reporting back many things that you do, to the Microsoft servers back at Redmond.

Data syncing by default

Microsoft will sync settings and data by default with its servers. This includes your browser history, favorites and the websites you currently have open as well as saved app, website and mobile hotspot passwords and Wi-Fi network names and passwords. This is pretty much like how Google Chrome sync works, however, if you are not comfortable with sharing your usage habits you can deactivate it from settings.

Cortana

As with the Windows 10 Technical Preview, the Microsoft’s personal virtual assistant, Cortana is a online snooping antennae for Microsoft. Which means it shares everything you do when you use it. However you have allow it to do just that because ironically it cant function in all its glory without collecting such data. Microsoft privacy statement is quite indicative of this fact :

    To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device.

    Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.”

Advertising ID :

Windows 10 generates a unique advertising ID for each user on each device. That can be used by developers and ad networks to profile you and serve commercial content. Like data sync, you can turn this off in the Setting menu > Privacy> general > Change privacy option

Disabling all the buttons in the Change privacy options will opt you out from the Microsoft advertising network.

Encryption key are backed up to OneDrive

Another one of those necessary requisites but the one that you should be aware of. When device encryption is turned on, Windows 10 automatically encrypts the drive its installed on and generates a BitLocker recovery key. That’s backed up to your OneDrive account.

You empower Microsoft to disclose your data once you download Windows 10

Read this part carefully. Upon agreeing to the service agreement and privacy policy you basically allow Microsoft to disclose your data to anyone it wishes to. Though realistically that may never happen but this is one controversial aspect of the privacy policy.

    We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

Learn to Encrypt Your Emails against an invasion of privacy by NSA

Now that we have enough details about how the NSA's Surveillance program, running for a long time against almost each country of this planet. 

Hundreds of top-secret NSA documents provided by whistleblower Edward Snowden already exposed that Spying projects like PRISM and MUSCULAR are tapping directly into Google and Yahoo internal networks to access our Emails. NSA's tactics are even capable to defeat the SSL encryption, so unsecured email can easily be monitored and even altered as it travels through the Internet.

One major point on which all of us are worrying is about the privacy of communication among each other and If you're looking for a little personal privacy in your communications you will need to encrypt your messages.

To avoid privacy breaches; rather I should say to make it more difficult for the NSA or British GCHQ surveillance program to read our communication, we should use PGP encryption (Pretty Good Privacy).

Why we should encrypt our Emails? Each public mail service provider sends information from sender to recipient like a postcard which has a recipient’s address and the content to be conveyed; and is open to the medium used for sending the card. Encryption is an envelope of the content of the document to be sent and leave the recipient’s address open so that it can reach to the destination. So by encrypting your mail, even if any mail service provider is keeping a record of all mails, you need not to worry that your document is being read by third person neither by NSA people.

Encrypting your email may sound daunting, but it's actually quite simple. We are going to use something called GNU Privacy Guard (GnuPG) or Gpg4win (Windows).

 

Installation

Step 1: Download the Gpg4win on windows machine and install it.

Step 2: Go ahead and after successful installation, close the window.

Generating your PGP pair key:

Step 3: Now open Kleopatra tool (A GUI GPG Key Manager) to create a new asymmetric key pair (public & private). Click on File -> New Certificate.

Step 4: In the key generation wizard, click on "Create a personal OpenPGP key pair" and in the next window enter your basic details:

Step 5: In the next window, once review your details and click "Create Key". It will prompt you for entering a passphrase. Set a strong password and confirm it once again in the next window.

Step 6: Within a few seconds (depending on your system speed), Your Key pair will be generated (as shown).

Step 7: You should "Make a backup of your file pair" somewhere safe. You can also export the public key to the public directory by clicking on the Upload Certificate to Directory Service.

Step 8: Once done, the key manager main interface will show your certificate as shown:

Step 9: Select your newly generated certificate -> Right click -> click on Export Certificates to save your Public keys on the desktop.

You will have to exchange your public keys with whom you want to make secure communication via mails. Many people post their public keys to their personal websites. You can send it as attachments to everyone you email, just so they have them.

Once your friends will have your Public keys, they can import it Kleoptra software via 'Import Certification' option from the menu.

Composing an encrypted email:

Step 1: Open Outlook -> Compose a new mail and write the recipient’s address, Subject and your message.

Note: You should already have your email ID configured over Outlook software on windows machine and if your Outlook doesn't have OpenPGP, then you can install 'Outlook Privacy Plugin' to enable it.

Step 2: Under GpgOL menu (as shown), click on 'Encrypt'. The software will automatically import the public keys of the recipient from the Key Manager (only if exists or imported before).

Step 3: If you also want to attach some files to this encrypted email, then under GpgOL menu, click Encrypted File and select the file to be attached and SEND mail.

When you or the recipient will receive the encrypted mail, one should first decrypt it using private keys.

Step 4: Under GpgOL menu, click on 'Decrypt' to convert the email into readable form. To proceed, It will ask for  the secret passphrase entered at the time of creation of key pair.

That's it! Other than Outlook you can also use various desktop email clients (Thunderbird or Postbox) or web mail, that also support PGP encryption. You can import your key pair to other software also in order to manage the same account.

Here’s How an Attacker Can Bypass Your Two-Factor Authentication

Secure Yourself by Using Two-Step Verification on These 16 Web Services

Two-factor authentication, also known as 2-step verification, provides additional security for your online accounts. Even if someone discovers your password,... [Read Article]

The two-step authentication systems on many websites work by sending a message to your phone via SMS when someone tries to log in. Even if you use a dedicated app on your phone to generate codes, there’s a good chance your service of choice offers to let people log in by sending an SMS code to your phone. Or, the service may allow you to remove the two-factor authentication protection from your account after confirming you have access to a phone number you configured as a recovery phone number.

This all sounds fine. You have your cell phone, and it has a phone number. It has a physical SIM card inside it that ties it to that phone number with your cell phone provider. It all seems very physical. But, sadly, your phone number isn’t as secure as you think.

If you’ve ever needed to move an existing phone number to a new SIM card after losing your phone or just getting a new one, you’ll know what you can often do it entirely over the phone — or perhaps even online. All an attacker has to do is call your cell phone company’s customer service department and pretend to be you. They’ll need to know what your phone number is and know some personal details about you. These are the kinds of details — for example, credit card number, last four digits of an SSN, and others — that regularly leak in big databases and are used for identity theft. The attacker can try to get your phone number moved to their phone.

There are even easier ways. Or, For example, they can get call forwarding set up on the phone company’s end so that incoming voice calls are forwarded to their phone and don’t reach yours.

Heck, an attacker might not need access to your full phone number. They could gain access to your voice mail, try to log in to websites at 3 a.m., and then grab the verification codes from your voice mailbox. How secure is your phone company’s voice mail system, exactly? How secure is your voice mail PIN — have you even set one? Not everyone has! And, if you have, how much effort would it take for an attacker to get your voice mail PIN reset by calling your phone company?

Two-factor authentication secures your accounts with an additional authentication method, often a time-limited code generated by a mobile app. But... [Read Article]

Your phone number becomes the weak link, allowing your attacker to remove two-step verification from your account — or receive two-step verification codes — via SMS or voice calls. By the time you realize something is wrong, they can have access to those accounts.

This is a problem for practically every service. Online services don’t want people to lose access to their accounts, so they generally allow you to bypass and remove that two-factor authentication with your phone number. This helps if you’ve had to reset your phone or get a new one and you’ve lost your two-factor authentication codes — but you still have your phone number.

Theoretically, there’s supposed to be a lot of protection here. In reality, you’re dealing with the customer service people at cellular service providers. These systems are often set up for efficiency, and a customer service employee may overlook some of the safeguards faced with a customer who seems angry, impatient, and has what seems like enough information. Your phone company and its customer service department are a weak link in your security.

Protecting your phone number is hard. Realistically, cellular phone companies should provide more safeguards to make this less risky. In reality, you probably want to do something on your own instead of waiting for big corporations to fix their customer service procedures. Some services may allow you to disable recovery or reset via phone numbers and warn against it profusely — but, if it’s a mission-critical system, you may want to choose more secure reset procedures like reset codes you can lock in a bank vault in case you ever need them.

It’s not just about your phone number, either. Many services allow you to remove that two-factor authentication in other ways if you claim you’ve lost the code and need to log in. As long as you know enough personal details about the account, you may be able to get in.

Try it yourself — go to the service you’ve secured with two-factor authentication and pretend you’ve lost the code. See what it takes to get in. You may have to provide personal details or answer insecure “security questions” in the worst case scenario. It depends on how the service is configured. You may be able to reset it by emailing a link to another email account, in which case that email account may become a weak link. In an ideal situation, you may just need access to a phone number or recovery codes — and, as we’ve seen, the phone number part is a weak link.

Here’s something else scary: It’s not just about bypassing two-step verification. An attacker could try similar tricks to bypass your password entirely. This can work because online services want to ensure people can regain access to their accounts, even if they lose their passwords.

For example, take a look at the Google Account Recovery system. This is a last-ditch option for recovering your account. If you claim to not know any passwords, you’ll eventually be asked for information about your account like when you created it and who you frequently email. An attacker who knows enough about you could theoretically use password-reset procedures like these to get access to your accounts.

We’ve never heard of Google’s Account Recovery process being abused, but Google isn’t the only company with tools like this. They can’t all be entirely foolproof, especially if an attacker knows enough about you.

Whatever the problems, an account with two-step verification set up will always be more secure than the same account without two-step verification. But two-factor authentication is no silver bullet, as we’ve seen with attacks that abuse the biggest weak link: your phone company.