Here we go again. Radware’s threat research group recently announcedthat more than 40,000 Facebook users were duped into downloading a “Relieve Stress Paint” application, via a crafty phishing email, that stole their login credentials and browser cookies while they pretend-painted in the app. Worse, the attack was clever enough to avoid being flagged by a typical antivirus app.
So, how can you keep your data safe in these instances? Let’s review:
Don’t download bullshit apps
Seriously. Since you’re an astute Lifehacker reader, you probably have a pretty good Spidey Sense when you see an website that looks like this, which asks you to download an app that sounds a little weird:
That is, in fact, a screenshot of the website where these phishing emails directed less-savvy recipients. The site is also available via a Google search, if you somehow create a weird enough of a query to cause it to pop up in your results.
In both instances, the malware icreators use Unicode to make the website’s URL appear on the email (or listing) as something much more innocent: aol.net or, in my case, picc.com. Hover over the link, or view the address bar when you click through, and you’ll see something much different: xn—p1aca6f.com, for example.
I digress. Rule number one of not getting suckered by a piece of malware is to not download things that look or sound completely bogus. I realize this advice can’t apply to everyone—your not-so-tech-inclined parents, your click-happy children, or your pet that walks all over your keyboard and mouse when you’re asleep.
For them, consider using a browser extension or app (like OpenDNS) to whitelist a handful of sites they are allowed to visit. You can even whitelist apps directly in Windows and macOS, which can help keep your friends and loved ones from running apps they shouldn’t—which will save them even more stress in the long run.
But if you still get duped anyway...
It happens. If you later learn that something you downloaded might have exposed your Facebook credentials to a bunch of hackers or spammers, you have a few options. (And we’re assuming you’ve already deleted the malware / scanned your system with a strong antivirus and malware-removal app / nuked your computer from orbit.)
First, change your Facebook password—that’s the easiest one. Make it a good, strong password (or passphrase) while you’re at it. This won’t protect your data from being shared around the web, but it’ll at least others won’t be able to log in as you anymore. This is the best and most important step you can do.
Second, enable two-factor authentication for your account. This might not have helped you in this most recent malware attack, as Ars Technica’s Dan Goodin notes, but it’s still an important security measure:
“It’s always a good idea to protect accounts with multifactor authentication, but it’s not yet clear if that protection would have prevented attackers in this campaign from accessing compromised accounts. Because the malware stole both passwords and cookies, it’s possible the cookies allowed the attackers to bypass the protection.”
gin settings page) to enable alerts about unrecognized logins. Then, click on “See more” under “Where You’re Logged In.” If you don’t recognize any systems on this list, or if you see an entry of a system from some foreign country you didn’t visit, say, yesterday, then you’ve been compromised. While you’re here, scroll to the bottom of the expanded list to find the “Log Out Of All Sessions” link. Click that.
Fourth, this is a great time to let friends and loved ones know about the “See recent emails from Facebook” option. If they receive an email from the social network that appears dubious, they can check to see if it’s an authentic email from Facebook in this section. We doubt Facebook would ever ask someone to install, say, a stress-relief application, but there are definitely more clever spoofs of legitimate Facebook emails that might convince a more gullible user to “log in” to a fake Facebook site.
Finally, hit up Facebook’s Payments screen, found on the left sidebar of its Settings page. Click on Account Settings. If you’ve entered one of your credit or debit cards into Facebook for any kind of payment processing, like in-app purchases, consider removing it if you’re no longer using it. If someone does gain access to your account, they won’t be able to make any payments on your behalf or create bogus advertisements to spread the malware even more.
So, you’re interested in secure, encrypted chat apps. You have a few different choices, but as with any chat app, what all your friends are using is important. To that end, Signal and WhatsApp are easily the most popular. Here’s how they compare.
The Contenders
Secure messaging apps are growing in popularity as we all come to realize how much data companies collect about us every day. Unlike phone calls, it’s much easier to imagine some giant corporate entity or government getting ahold of one of your chat transcripts and using it for nefarious means. While many apps out there that do this, including Apple’s iMessage, WhatsApp and Signal lead the way in both popularity, platform availability, and features. Aside from messaging, both apps also include voice and video calling, though we’ll be concentrating on the text messaging capabilities of both here. Let’s break down how both work:
Signal: While WhatsApp has the most users between these two, you’ve probably heard about Signal more often in the news whenever people are talking about encryption. Pretty much any article you read about security, from Snowden to Russia, includes a mention of Signal. That’s because every message that’s sent over Signal supports end-to-end encryption (we’ll get into exactly what this means below). This security measure means that if someone intercepted your messages, or found them on a server somewhere, they would see gibberish, not the actual text of a conversation. Signal is also open-source, peer-reviewed, and routinely audited, which means it’s pretty much always up to date from a security standpoint.
WhatsApp: WhatsApp has more than 1 billion users, which is an insane number, all things considered. What’s also crazy is the fact that WhatsApp partnered with the company behind Signal, Open Whisper Systems, to integrate the same end-to-end encrypted chat protocol as Signal. Unlike Signal, which bills itself as a security app, WhatsApp bills itself as a messaging application first, which means it has all sorts of silly chat stuff like stickers and GIFs. While the Signal protocol that WhatsApp uses for encryption is open-source, the rest of the app isn’t, so we don’t know everything that happens behind the scenes.
Broad strokes don’t mean much when it comes to actually comparing how these two apps work though, so let’s dig in, starting with the most important part, encryption.
Both Support End-to-End Encryption, But Signal Doesn’t Save Anything It Doesn’t Have To
End-to-end encryption is a term we hear a lot these days, but how it works and why it’s important for security isn’t always clear. Long ago, we sent messages in plain text, meaning that anyone could see the contents of a message if they caught it while it travelled from sender to receiver. Nowadays, many messaging apps using end-to-end encryption. When done correctly, end-to-end encryption prevents a third party from viewing a conversation. It does so by sending the key to unlock the message the receiver so only they can view it. For a more technical breakdown of exactly how it works,check out the technical audit from last year(PDF).
This also means that even the provider, in this case, WhatsApp and Signal, cannot see the contents of a message. So, if a third party, like a government, attempts to access those messages, they can’t see the content of that message; they’ll see a garbled bunch of characters. Both WhatsApp and Signal use the same exact protocols for encryption. That means you can assume your messages are safe and secure regardless of which service you use. How they store personal information and message metadata differs though.
Metadata is the important part here. Metadata can show who you send a message to and when. You might remember the term from the Snowden leaks, because the CIA was collecting metadata on phone calls. While WhatsApp doesn’t keep your messaging beyond the course of it trying to deliver that message (if the recipient is offline it’ll stay on WhatsApp’s servers until the message goes through), it does collect a lot of other information about you. Based on their Privacy Policy, this includes usage and log information, device information, contact information, cookies, status updates (like when you were last online), and your location if you choose to share it. They can also put that metadata together using other people’s information. For example, if you’re not sharing your contact list, but a friend of yours is and you’re in it, then they can put those two pieces of information together. It’s also worth remembering that Facebook owns WhatsApp, which means it shares data for ad targeting. You can opt out of this, but it’s a noteworthy features because the relationship between the two is going to make some people uncomfortable. None of this is bad by any stretch of the word, but it’s still worth noting.
Security researchers also tend to worry about the fact that by default, WhatsApp backs up your data, including chat history, to your phone’s Google or iCloud account. This means that people may accidentally hand over some data to a third party without realizing it. You can disable these backups of course, but many users may not realize it’s happening. One final nitpick with WhatsApp’s security comes from the fact that everyone involved in a conversation needs to be using a recent version of the app that supports encryption in order for it work. This isn’t a huge deal for most of us, but if you have a friend who never updates their apps, the encryption may not be on for the conversation.
Signal, in turn, has the shortest Privacy Policy I’ve ever seen. They store only what’s required for the service to work, like your phone number, random keys, and your profile information. It then keeps your IP address for as long as necessary to send the information. Like any service, Signal can and will turn over what information they have to a government entity that legally requests it, but they don’t have much in the way of data to begin with.
Both options are secure, but Signal is more privacy-friendly, partially because it lacks the number of features that WhatsApp has.
WhatsApp Has More Users and Features
WhatsApp was a messaging app first and added the security features later on. Signal was all about security first. Because of this, WhatsApp has more now-traditional chat features. Both Signal and WhatsApp also include voice calling and video calling to round out the messaging apps.
WhatsApp allows you to send read receipts, see typing indicators, mute conversations, block contacts, set notifications, and customize what’s downloaded. You can send your location, what you’re listening to, a voice memo, add in GIFs, and more. If you’re on iOS, WhatsApp integrates with Siri so you can send messages or hear messages while on the go. WhatsApp also has some of its own tricks, like Broadcast Lists, which is a group message that looks like it’s sent to a recipient directly, almost like an old-school SMS group spam chat. You can even set the wallpaper background for each conversation thread. WhatsApp does pretty much everything that the likes of iMessage, Messenger, or Hangouts does.
Signal has plenty of features too, though they’re a bit more subdued and arguably more utilitarian. Signal includes a modern style group chat function, supports multimedia messages including GIFs, can send your location, and you can set messages to delete themselves after a set amount of time. In general, it’s more barebones and takes a little longer to update, but that’s on purpose. The simpler it is, the easier it is to keep your data private and secure.
Neither Have Great Desktop Apps
Though WhatsApp is the one to get all the fancy new features we’re all used to in messaging apps, it’s weirdly behind with its desktop app, though Signal is only slightly better.
You can access Signal on your computer, but it’s a Chrome extension. Still, it works well enough. WhatsApp, in turn, has a web app and desktop clients, but they use your phone to access WhatsApp, which mean your phone needs to be nearby. If your phone isn’t connecting to the internet, the desktop client will not work. This one’s kind of a wash, neither are great, but at least they have options.
The Verdict: WhatsApp is Great for Security, Signal is Best for Privacy
The good news is that both Signal and WhatsApp are great, and both do their job well. Chances are you’re going to go where your friends are, but if you’re choosing between these two options, then pick which suits your needs.
Which is best for you depends on why you’re using a messaging app. If you want security, as in, you don’t want some random person or government reading your messages, then WhatsApp is plenty for you, though in the case of a security breach, WhatsApp is going to have more information about you in storage. If you prefer a full-blown, all-in, “nobody can see anything that you do in any way shape or form no matter what” solution, then Signal is the app for you.
This post is part of our Evil Week series at Lifehacker, where we look at the dark side of getting things done. Sometimes evil is justified, and other times, knowing evil means knowing how to beat it. Want more? Check out our evil week tag page.
Kali Linux is an operating system built for network penetration testing. You can run it on your laptop to crack nearby Wi-Fi passwords, spoof networks, test for Bluetooth vulnerabilities, and tons of other things. Remember, using this knowledge to break into protected networks will likely get you arrested and charged with a felony—possibly a federal charge of violating the Computer Security Act. You should only use this knowledge for good, for your own learning, and only play with networks you control. We’ve talked pretty extensively about using Kali Linux before, so we won’t go through that here, but check out our guide for an overview of everything you can do with it. All of that applies to the Raspberry Pi version we’ll build here as well.
The Raspberry Pi is a small, credit card sized computer that doesn’t require a lot of power to use. When you combine the Raspberry Pi and Kali Linux together, you get a super-portable network testing machine that you can bring with you anywhere. In this guide, we’ll show you how to get Kali up and running on the Raspberry Pi with a touch screen. This way, you never need to install Kali Linux on your primary computer.
What You’ll Need
Raspberry Pi (Model B/B+ or 2, however, the Raspberry Pi 2 requires a few extra steps for installation, so if you don’t want to go through those, stick with the Model B+)
A PiTFT touch screen (Update: an older version of this post pointed to this screen, which still works, but doesn’t fit flush with the Raspberry Pi 2 or other newer versions of the Pi)
A case (optional, but if you’re carrying the Raspberry Pi around with you, it’s useful. This case from Adafruit built to pack in the PiTFT and the Model B is a great option if that’s the model you’re working with.)
Keyboard (I like using a small wireless keyboard with touchpad like this so it all fits inside a small bag.)
A Desktop computer (to perform the initial installation)
Step One: Install Kali on the Raspberry Pi
Before we do anything, you’ll need to download and install the touch screen build of Kali Linux image for the Raspberry Pi. It’s just like installing any other Raspberry Pi operating system, which we’ve walked through in detail here, but here’s the short version:
Before we do anything, you’ll need to download and install the touch screen build of Kali Linux image for the Raspberry Pi. It’s just like installing any other Raspberry Pi operating system, which we’ve walked through in detail here, but here’s the short version:
Insert your SD card into your Windows PC using a card reader.
Open Win32DiskImager.exe, the application you just downloaded, by double-clicking on it. If you’re running Windows 7 or 8, right click on it and choose “Run as Administrator” instead.
If your SD card isn’t automatically detected by the application, click on the drop-down menu at the top right (labeled “Device”) and choose it from the list.
In the image file section of the application, click the little folder icon and choose the Raspbian .img file you just downloaded.
Click the Write button and wait for Win32DiskImager to do its thing. When it finishes, you can safely eject your SD card and insert it into your Raspberry Pi.
Download RPi-sd card builder (be sure to pick the appropriate version for your installed version of OS X) and unzip the application.
Insert your SD card into your Mac using a card reader.
Open RPi-sd card builder. You’ll immediately be asked to choose a Raspbian image. Choose the .img file you downloaded earlier.
You’ll be asked if your SD card is connected. Since we inserted it earlier, it is, so go ahead and click Continue. You’ll be presented with SD card options. If you only have one inserted, you won’t see anything else in the list and it’ll be checked. If not, just check only the card you want to use and click OK.
Enter your administrator password and click OK.
You’ll be asked if the SD card was ejected. This is supposed to happen, as the application needs to unmount it so it can perform a direct copy. Double-check that your SD card is no longer available in the Finder. DO NOT remove it from your USB port. When you’re sure, click Continue.
RPi-sd card builder finishes prepping your SD card, safely eject it and insert it into your Raspberry Pi unit.
Step Two: Hook Up the Display
The Raspberry Pi has a GPIO (general-purpose input/output) that the touch screen fits into. On your Raspberry Pi, it’s the set of pins in the corner—it should be pretty obvious how it fits together. Go ahead and click your display into the Raspberry Pi.
Step Three: Plug Everything In and Power On
With the display attached, it’s time to plug everything else in. Plug the Wi-Fi adapter and the keyboard into the USB ports. Then, plug the Pi into your battery pack.
The startup process can be a bit slow and clunky here, so don’t worry if it takes a little while. First, you’ll see a white screen for a little while before the boot process starts up. Eventually, you’re greeted by a login screen.
If you’re using a Raspberry Pi 2, you’ll need to go through some setup stuff here to get the screen working. If you’re using the B+, skip to the next step.
The Raspberry Pi 2 currently requires some extra steps to get the screen working. When you initially boot it up, you’re greeted by a sad, white screen. Thankfully, it’s not too troublesome to get the screen working. Unfortunately, you’ll need either an HDMI monitor to attach the Pi to, or you’ll need to login over SSH to get through this part. Go ahead and connect either of those and boot up the Pi now.
You’ll see a username and password prompt from the command line on your Raspberry Pi. Type in the username root and password toor.
Start by mounting the boot partition. Type in mount /dev/mmcblk0p1 /boot and press Enter.
Next, you’ll download and install Adafruit’s setup software. Type in wget http://adafruit-download.s3.amazonaws.com/adafruit_pitft_kernel_1.20150420-1.tar.gzand press Enter.
Type in tar xf adafruit_pitft_kernel_1.20150420-1.tar.gz and press Enter to extract that file.
Type in cd adafruit_pitft_kernel_1.20150420-1 and press Enter.
Type in ./install.sh and press Enter. This will take a while. When it’s finished, it’ll ask you to reboot. Say yes and wait for the reboot.
Type in git clone https://github.com/adafruit/Adafruit-PiTFT-Helper.gitand press Enter to download Adafruit’s screen software.
Okay, now you need to mount the boot disk again. Type in mount /dev/mmcblk0p1 /boot and press Enter.
Type in cd Adafruit-PiTFT-Helper and press Enter.
Type in./adafruit-pitft-helper -u /root/ -t 28r and press Enter. This configures your display.
Now you’ll need to fix some issues with the boot screen only showing a blinking cursor. Type in sudo apt-get install xserver-xorg-video-fbdev and press Enter.
Once that’s complete, type in cd /usr/share/X11/xorg.conf.d/ and press Enter.
Finally, type in nano 99-fbdev.conf and press Enter. This will open a text file. You’ll need to copy the following bit of code into the file:
That should do it. Go ahead and type reboot and press Enter to restart your Pi with a working screen.
Step Four: Log In and Enable Your Wi-Fi Card
Now it’s time to log in and enable the Wi-Fi card so you can actually use the tools inside of Kali Linux. The Raspberry Pi will automatically recognize your Wi-Fi card, but you’ll still need to login to your network. First thing first, we need to launch the Kali Linux graphic user interface and make sure everything’s working:
You’ll see a username and password prompt from the command line on your Raspberry Pi. Type in the username root and password toor (we’ll change this later on).
Type in startxand press Enter to boot up the graphic interface for Kali. This can take a little while to load on the Pi.
You can now navigate your Pi with the touch screen and your keyboard. Tap the small Terminal icon on the dock in the bottom to open up the command line.
To set up your Wi-Fi card, type nano /etc/network/interfaces into the command line and press Enter to load up the configuration file for your Wi-Fi settings.
Add the following lines to the text file you just opened, substituting your network information in:
auto wlan0 iface wlan0 inet dhcp wpa-ssid “your network name” wpa-psk “the network password”
When you’re finished, press Ctrl+X to save and exit. Your Wi-Fi card should now work (though you may have to reboot first).
Step Five: Change Your Password
Before you do anything else, you should really change the root password of your device (lest someone else with similar hacking skills gain control of it). Thankfully, it’s easy.
While you’re still in the command line (if you aren’t, go ahead and just tap the Terminal icon in Kali to reopen it), type in passwd and press Enter.
Type in your new password twice.
It’s also good to reconfigure your OpenSSH server now so it’s not set as the default. Type in dpkg-reconfigure openssh-server and press Enter.
Now your little portable system is set up and secure.
What You Can Do With This Device
From here, what you do with your little portable hacking station is up to you. You can use the touch screen on the Pi for basic navigation and run any program in Kali Linux you want. If you don’t know where to start, here are a few ideas:
