Telling users to ‘avoid clicking bad links’ isn’t working

Abstract: Telling users to ‘avoid clicking bad links’ still isn’t working by David C. - Technical Director for Platforms Research and Principal Architect - NCSC (UK) Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing. Infosec tenets simply don’t work Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job...

December 28, 2022 · 2 min · 9x0rg

About Me

$ whoami Hi there, My name is Olivier Falcoz. I am a random French-speaking dude who go by the alias of 9x0rg. You might have crossed me under the nicknames of elpanzer or panz’ in the past. I’m a Infosec & risk management professional at day, formerly based in the Asia-Pacific region and now impatriated in Provence. I’ve been one of the maintainer of two MTB-related websites during my years in Asia; KLMBH an association perpetuating the tradition of the running Hash1 but on a mountain bike and TRAKS, a trail conservancy NGO in Malaysia....

Ditching WhatsApp [updated]

[First published on September 05, 2016] I am ditching WhatsApp, following Facebook’s decision to begin harvesting data from its messaging service. Even though Motherboard claims “it may be possible to prevent WhatsApp to give your phone number to Facebook” (LOL) WhatsApp will still harvest your metadata. “Sharing metadata with Facebook still exposes users to significant risks,” says Claire Gartland, consumer protection counsel for the Electronic Privacy Information Center. “Facebook will have data indicating who WhatsApp users communicate with and how frequently, and connecting WhatsApp users with their social media accounts and broader online activity, associations, political affiliations, and more....

June 14, 2018 · 2 min · 9x0rg

Chiffrement de messagerie instantanée: à quel protocole se vouer?

Vu sur le site de l’ANSSI: Accompagnant la prise de conscience généralisée du besoin de sécuriser ses communications électroniques, de nombreuses applications de messagerie (quasi) instantanée ont fait leur apparition sur les ordiphones. Toutes annoncent un haut niveau de sécurité, laissant ainsi l’utilisateur dans le doute, vis-à-vis du niveau réel de sécurité à escompter. Donc, que privilégier entre Signal, Telegram ou XMPP? Je ne cite pas WhatsApp/Facecrook à dessein, hein....

November 15, 2017 · 1 min · 9x0rg

Malaysia telco databreach - check yourself

Lowyat reported on Oct. 30, 2017 that a total of 46.2 Million Malaysian phone numbers were exposed, and the dataset included IC numbers, addresses, IMSI, IMEI and SIM numbers as well. Check yourself out Head over to SayaKenaHack.com, the dedicated website created by Keith Rozario and check if your details are part of the breach.

November 14, 2017 · 1 min · 9x0rg

A brief history of GnuPG

A brief history of GnuPG: vital to online security but free and underfunded Donate to GnuPG. Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition. One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project....

October 13, 2017 · 3 min · 9x0rg

China blocks WhatsApp

China has largely blocked the WhatsApp messaging app, the latest move by Beijing to step up surveillance ahead of a big Communist Party gathering next month. The disabling in mainland China of the Facebook-owned app is a setback for the social media giant, whose chief executive, Mark Zuckerberg, has been pushing to re-enter the Chinese market, and has been studying the Chinese language intensively. WhatsApp was the last of Facebook products to still be available in mainland China; the company’s main social media service has been blocked in China since 2009, and its Instagram image-sharing app is also unavailable....

September 26, 2017 · 1 min · 9x0rg

Hacking Team government users

The 21 suspected government users of RCS by Hacking Team Hacking Team, also known as HT S.r.l., is a Milan-based company that describes itself as the “first to propose an offensive solution for cyber investigations". Their flagship Remote Control System (RCS)1 product, billed “the hacking suite for governmental interception,” is a suite of remote monitoring implants (i.e., spyware) sold exclusively to government agencies worldwide. We suspect that twenty-one governments are using Hacking Team’s RCS spyware....

July 9, 2017 · 1 min · 9x0rg

7 in 10 smartphone apps share your data with third-party services

Our mobile phones can reveal a lot about ourselves: where we live and work; who our family, friends and acquaintances are; how (and even what) we communicate with them; and our personal habits. The research that we and our colleagues are doing identifies and explores a significant threat that most people miss: More than 70 percent of smartphone apps are reporting personal data to third-party tracking companies like Google Analytics, the Facebook Graph API or Crashlytics....

May 31, 2017 · 1 min · 9x0rg

The CIA didn't break Signal App

The CIA didn’t break Signal or WhatsApp… despite what you’ve heard. The agency might be able to break into your phone, but files released today show no ability to intercept encrypted chats before they arrive there. There’s been one particularly misleading claim repeated throughout coverage of CIA documents released by WikiLeaks today: that the agency’s in-house hackers “bypassed” the encryption used by popular secure-chat software like Signal and WhatsApp. It doesn’t....

March 8, 2017 · 2 min · 9x0rg