Introduction

The recent security scare with the Apple Macintosh platform and its exposure to the Flashback malware was centered around the use of Java on this platform, rather than being targeted directly using native code. But there have been similar risks targeted at this platform but this time using the Adobe Flash runtime environment.

Previously the typical computer’s operating system, desktop-productivity software and default Web-browsing environment has been targeted by malware writers. This has been more so with software that is used by many people, like Microsoft’s Windows XP operating system and Internet Explorer Web browsers.

But Microsoft, Apple and the open-source community have been working lately on hardening their operating-system, desktop-productivity and Web-browsing software against malware. This has been done through releasing software patches that fix vulnerabilities as soon as they are discovered and having such patches delivered using automated software-maintenance systems like Windows Update.

So malware authors are now turning their arrows towards the multi-platform runtime environments like Oracle’s Java and Adobe’s Flash and Air environments. These typically have a runtime component that is user-installed on most computing platforms, or this component is rolled in to some computing platforms.

These runtime environments have appealed to mainstream software developers because they can create their software in a “write once, run anywhere” manner without needing to port the software to the different platforms they want to target. This situation also has appeal to malware authors due to the ability to target multiple platforms with little risk as well as finding that these runtime environments aren’t patched as rigorously as the operating systems.

One main problem – Java and how it is maintained on the Macintosh

The Java runtime environment used to be delivered with the Windows platform until 2004 due to a legal agreement between Sun and Microsoft regarding an anti-trust issue. Now Windows users pick up the runtime code from Oracle’s Java website now that Oracle have taken over the Java environment from Sun.

But Apple still delivers the Java runtime environment to their Macintosh users, either with the operating system until “Snow Leopard” or as a separate download from their Website for subsequent users.

For both platforms, the Java runtime survives operating-system updates, even major version upgrades. As well, it, like the Adobe Flash runtime, has to be updated separately.

Windows and Linux users still have the advantage of going to the Oracle Website to install and update the Java Website and they can set up the Java installer software to implement the latest version automatically or let them know of updated Java runtimes. But Apple don’t pass on new updates for the Java runtime to MacOS users as soon as Oracle release them.

What Apple should do is pass on the Java runtime updates as soon as Oracle releases these updates. This could be involving Apple ceding the management of the MacOS X Java runtime to Oracle and writing any necessary integration code to support co-ordinated maintenance of this runtime the the Macintosh platform.

What users can do with these runtime environments

Users can keep their runtime environments for Flash, Java, Adobe Air and other “write once, run-anywhere” platforms by looking for updates at the developer’s Website. They can also enable automatic deployment of critical updates to these environments through various options offered by the installer.

But do you need to keep any of these runtime environments on your regular computer? You could do without it but some vertical, enterprise and home software requires the use of these runtime environments. In some cases, some developers write parts of their software in native code for the platform the software is to run on while using “write once, run anywhere” code that works with these environments for other parts.

For example, YouTube,  most browser-hosted games or file-transfer interfaces for Websites implement Adobe Flash Player while programs like OpenOffice, Adobe’s Creative Suite and some enterprise / vertical software require Java.

If you are not likely to running any programs that depend on a runtime environment regularly or can avoid needing that particular environment, you could avoid installing the environment at all to keep your computer secure and stable.

What can the industry do

Use of computer security software to protect against runtime-environment attacks

A question that could be raised is whether it is feasible for a computer-security program to be written so that it can inspect the software that is intended to be run in these environments.

This is more so as these environments become ubiquitous for delivering software to multiple computing environments. In the case of Java, this environment is being implemented as a baseline for the Android platform and as the language for writing interactivity in to Blu-Ray Discs.

This could be achieved through the use of plug-in modules for current desktop and appliance-level security applications; or for modules that connect to the runtime environments, observing for abnormalities in the way they handle computer resources.

Development of enhanced runtime environments that work with the host operating system’s security logic

It can also be feasible for the runtime environments to work tightly with the operating-system’s user access management and prevent the programs that work behind them from using resources unless they are explicitly allowed to. This could involve use of sandboxes or privilege levels that mimic the operating system’s privilege levels thus working at the lowest level unless they have to work higher.

Consistent and responsive updating of the runtime environment across all platforms

Adobe, Oracle and others who develop “write-once, run-anywhere” platforms could implement a consistent and responsive update policy for these platforms in response to any discovered bug or exploitable software weakness. The developers of these platforms have to be sure that the updates are delivered as soon as possible and across all platforms that the runtime environment is targeted at.

This includes development of a strategy so that access to the targeted platforms is guaranteed by the runtime-environment developer. For example, it may include immediate propagation of firmware updates for devices or the use of the developer’s own installation routines for all regular computing environments.

Allow design-time native-binary compiling for desktop Java

Another improvement that I would like to see is for software that is written in the Java language to be able to be compiled to native binary (.EXE) code during development. Here, this could allow a desktop-software project that has routines written in Java as well as routines written in other languages like C++ and targeted to one platform to be able to run quickly and securely on that platform.

It will then avoid the need to require the installation of the Java runtime when a program like Adobe’s Creative Suite software is deployed to the end user. It can also allow the developer to deliver the software to many platforms in a binary form that is native to each target platform, thus allowing for efficient use of system resources.

Conclusion

Once we adopt proper standards concerning the management and maintenance of “write-once, run-anywhere” software-development platforms and make them to the same standard as regular-computer operating systems, this can reduce the chance of these platforms being exploited by malware authors.

Articles

A look at Apple’s Flashback removal tool | MacFixIt – CNET Reviews

Apple releases fix for Flashback malware | Engadget

Downloads – Apple’s support Website

Java Update for MacOS 10.6

Java for MacOS Lion

My Comments

Apple has reacted to the groundswell of concern about the recent Flashback malware and have issued updates to its Java runtime environment for both MacOS Snow Leopard and Lion.

Here, they have implemented a check-and-remove routine for this Trojan as part of the installation routine for the new Java runtime environment. For most Macintosh users, this will simplify the process of removing any existence of this malware as well as keeping this runtime environment up-to-date.

The CNET article also gave a detailed review of what goes on as well as how to fix situations if the installation takes too long and the procedure hangs. As I have posted previously, Apple could improve on the issue of providing system maintenance and desktop security software so that Mac users can keep these systems in good order.

Introduction

In the late 1980s when the scourge of computer viruses hitting popular home and small-business computing platforms was real, this issue was exposed across all of the platforms that were in use during that year. This encompassed Apple’s two desktop platforms i.e. the Apple II and the Macintosh; along with the Commodore Amiga, the Atari ST and, of course the MS-DOS-driven “IBM” platform. Of course, the computer magazines ran articles about this threat and how to protect against it and disinfect your computing environment from these software pests.

But through the 1990s, the Windows / DOS systems were the main malware target, especially the Windows 98 and XP systems that ran Internet Explorer due to their popularity. The other platforms weren’t targeted that much due to their lesser popularity in the field and the computer press didn’t touch on that issue much. It was also because some of these platforms like the Amiga and Atari ST weren’t being supported any more by their manufacturers.

But lately there has become a trend for people to hop from the Windows platform to the Macintosh platform due to reduced targeting by malware authors and the perceived hardening that Apple has done to this platform. This has been recently augmented by the popularity of the iOS mobile-computing devices i.e. the iPhone, iPod Touch and iPad as well as elegant computing devices available to this platform. All of these factors has led to an increased popularity of Apple Macintosh computers in the feild and they have become a target for malware authors.

But most Macintosh users run their computers with the Apple-authored Safari Web browser and are likely to implement Apple iWork or Microsoft Office productivity software. They also run these computers without any desktop-security or system-maintenance tools because they perceive that Apple has made the task of keeping these computers in ideal condition easier than with the Windows platform.

What can Macintosh users do

Macintosh users can harden their computers against malware by installing and keeping up-to-date a desktop security suite. A free example of this is the Avast program that has been recently ported to the Macintosh platform and another paid-for premium example is the Kaspersky desktop-security suite. These programs are, along with a system-maintenance suite like Norton Utilities, a must-have so you can keep these computers working in an ideal condition.

Another practice that I always encourage is to keep all the software on your Macintosh computer lock-step with the latest updates. This can also help with dealing with any bugs or stability issues that may affect how the software runs on your computer. Here, you may want to enable a fully-automatic update routine for security and other important updates or a semi-automatic routine where the Macintosh checks for these updates and draws your attention to any newly-available updates, that you then deploy.

It is also worth disabling Adobe Flash Player, Java and similar “all-platform runtime” environments if you don’t need to run them. There are many articles on the Web about this in response to the Flashback Trojan Horse. Otherwise make sure that the runtime environments are kept updated. Similarly, you may want to change your default Web browser to a purely-open-source browsers like Firefox or Chrome, which is more likely to be kept up-to-date against known bugs and weaknesses. This was also made easier with new-build installations of MacOS X Lion i.e. when you had a new Macintosh with this operating system “out of the box”. Prior operating systems had the Java runtime installed by default and this survived any operating-system upgrade.

What Apple needs to do

Apple needs to come down from its silver cloud and see the realities of what is involved with keeping a computer in good order. For example, they need to provide desktop-security and system-tuning tools so that users can keep their Macintosh computers in tip-top condition and free from malware. They also need to transparently and immediately implement all updates and upgrades that Oracle releases for the Java environment in to their distribution or allow Oracle to distribute the Java environment  for the Macintosh platform.

As well, they need to take a leaf out of Microsoft’s book by implenenting a “default-standard-user” setup that has the user operating as a “desktop-user” privilege level by default. Then the user is asked if they want to go to an “administrator” privilege-level when they perform a task that requires this level and only for the duration of that task. This is important with home and small-business computer setups where there is typically only one fully-privileged user created for that system.

Conclusion

What the recent “Flashback” Trojan Horse has done is to bring the Apple Macintosh platform to a real level where issues concerning desktop security and system maintenance are as important for it as they are for other platforms.

Introduction

The CEBit 2012 IT show in Hannover, Germany is one of may technology trade shows covering the European area where there is a strong crossover between product classes. It was positioned at work-based computing but is competing with Mobile World Congress in Barcelona, Spain (smartphones), Internationaler Funkaustellung in Berlin, Gernamy (consumer electronics) and Photokina in Cologne, Germany (digital imaging) as a European showcase platform for consumer and small-business information technology.

It has carried through the overall key trend of work-home computing and the always-mobile business life. This is more so with the emphasis on portable computing equipment and equipment to service the data cloud.

Key issues and trends in computing

Privacy and security in the online age

A key issue that has been raised through this year’s CEBIT show in Hannover is how US-based companies are limiting data privacy in the eyes of Europeans. Regular readers of HomeNetworking01.info may have seen articles being published about this issue, especially an industry interview that I did with Alastair MacGibbon and Brahman Thyagalingham, concerning the responsibility of service providers if something goes awry with the data in their care.

This was brought about through the recent privacy and security changes at Google as well as an increase of data being held “in the cloud”. There was also an underscoring of the improtance of trust concerning data in the Internet Age.

Technological trends

PCs and laptops

These “regular” computers have not been forgotten about even though there is a lot of interest in the tablets and smartphones. It has been led about through the imminent release by Microsoft of Windows 8 which is available as a consumer-preview version at the time of writing. One feature pitched about this operating system is that it was intended to bridge home and work computing lifestyles with mechanisms like Windows To Go “boot-from-USB” setups.

As well, there was the imminent release of the Ivy Bridge chipset and processor families by Intel with these offing graphics that are just close to “gaming quality” but with economical power consumption. There was a “Super SSD” drive also being premiered which had 512Gb of solid-state storage in a 2.5” housing for the current generation of portable computers.

This year has seen more of the Ultrabooks being released by the various manufacturers and in different variants.

An example of this was Acer showing their new range of equipment with the Timeline Ultra M3. This was a so-called “15-inch Ultrabook” which had an optical drive and NVIDIA GeForce discrete graphics, with variants available with a hard disk or solid-state-drive only for their secondary storage.

Acer had also premiered their V3 lineup of 14”, 15” and 17” budget-friendly laptops with the 17” variant having a Blu-Ray optical drive. They also premiered the V5 11”, 14” and 15” slim mainstream laptops with the 14” and 15” varieties being equipped with discrete graphics as an option.

Toshiba also fielded a variant of the Portege Z830-120 Ultrabook with WiDi Wi-Fi-driven display link technology and was promising a “brown-goods” LCD TV with WiDi display functionality. I would say that this function may appear in a higher-end LCD chassis which serves a particular run of high-end lounge-room sets.

Of course, there would be some computers that are positioned as “bridge” units between the regular laptop and the tablet, typically being equipped with a touchscreen and a keyboard at least. Examples of these would include ASUS “Transformer” variants with detachable keyboards or “swivel-head” convertible laptops. These could be based on either an ARM RISC microarchitecture or the classic Intel microarchitecture with them running Windows or Android. They would be pitched at those of us who like the touchscreen tablet experience but also want to use a proper keyboard to create content.

Smartphones and Tablets

The smartphone and tablet scene at this fair has been affected by two issues. One is Apple releasing their third-generation iPad with the higher-resolution “Retina” display and A5x graphics subsystem concurrently with this show, setting the cat among the pigeons. Of course, the patent fights are still on with Apple over tablet-computer design with some of the lawsuits still not resolved.

The other is that a lot of the smartphones and tablets destined for Europe were premiered at the previous Mobile World Congress in Barcelona, Spain. But there were a lot of the tablets being exhibited in Hannover.

Key features that were being put up included near-field communications which enabled “tap-and-go” payment and data transfer for these devices, larger screens for this device class, LTE wireless-broadband and DLNA implementation. As well, the Android devices are being released with quad-core processors, keyboard docks, glasses-free 3D, full HD graphics and other more attractive features.

As for LTE 4G wireless broadband, an increasing number of European mobile carriers are rolling out LTE networks through their market areas and are launching phones, tablets and modems that work with this technology.

Conclusion

What it sounds like is that the CEBit show is underpinning a mobile cloud-driven computing environment which is to support “regular” and mobile usage classes.

Article

HP sued over security flaw in printers | Security – CNET News

My comments

An increasing trend that I have covered on this site and have noticed with equipment that I have reviewed is for the equipment to be updated with new firmware after it is sold to the customer.

Field-updating practices

Previously, this practice involved the device’s user using a regular computer as part of the update process. In a lot of cases, the user would download the update package to their computer and run a special program to deploy the update to the connected device. If the device, like a router, was connected via the network, the user uploaded the update package to the network-connected device via its management Web page or other network-file-transfer methods.

Now it is becoming more common for one to update the software in their device without the need to use a regular computer. This would be done using the setup options on the device’s control surface to check for and, if available, load newer firmware. 

It also includes the device automatically polling a server for new firmware updates and inviting the user to perform an update procedure or simply updating itself during off-hours for example; in a similar vein to the software-update mechanisms in Windows and MacOS.

As well, an increasing number of devices are becoming able to acquire new functionality through the use of “app stores” or the installation of add-on peripherals.

The HP lawsuit concerning printer firmware

Just last week, there has been a lawsuit filed against HP in San Jose District Court, California, USA concerning weaknesses in the firmware in some of their printers allowing for them to accept software of questionable origin. Issues that were raised were the ability to load modified software that could facilitate espionage or sabotage. This was discovered through lab-controlled experiments that were performed on some of the affected printers.

As all of us know, the firmware or apps are typically held on servers that can be easily compromised if one isn’t careful. This has been made more real with the recent Sony PlayStation Network break-ins, although data pertaining to users was stolen this time. But it could be feasible for a device to look for new firmware at a known server and find compromised software instead of the real thing.

They even raised the question not just about the software that is delivered and installed using a computer or network but the ability to install ROM or similar hardware chips in to the device to alter its functionality. I would also see this including the ability to pass in code through “debug” or “console” ports on these devices that are used to connect computers to the devices as part of the software-development process.

This could have implications as equipment like home appliances, HVAC / domestic-hot-water equipment and building security equipment become field-programmable and join the network all in the name of “smart energy” and building automation. Issues that can be raised include heaters, ovens or clothes dryers being allowed to run too hot and cause a fire or building alarm systems that betray security-critical information to the Social Web without the users knowing.

Further ramifications of this lawsuit

Device manufacturers will have to look at the firmware that governs their products in a similar vein to the software that runs regular and mobile computing equipment. This includes implementing authenticated software delivery, software rollback options and the requirement to keep customers in the loop about official software versions and change-logs (differences between software versions).

In some cases, business computing equipment like laser printers will have firmware delivered in a similar manner to how computer software is rolled out to regular computers in larger businesses. This includes software that enables centralised firmware deployment and the ability to implement trial-deployment scenarios when new firmware or add-on software is released.

Devices that have proper-operation requirements critical to data security or personnel / building safety and security may require highly-interactive firmware delivery augmented with digital-signature verification and direct software-update notification to the customer.

Similarly, security-software vendors may push for a system of integrating software solutions, including “edge-based” hardware firewall appliances in the process of software delivery to other devices.

Conclusion

What I would like to see out of this case if it is allowed to go “all the way” is that it becomes a platform where issues concerning the authenticity, veracity and safety of field-updatable firmware for specific-purpose devices are examined.

Article

Scareware slingers stumped by Google secure search • The Register

My Comments

Google has allowed users to perform a “Secure Search” option where their search-engine transactions are encrypted between the Google servers and their computer. This can be either facilitated through the user typing https://www.google.com or setting it as a default for their Google services account.

Obviously this feature is intended to provide a private secure-search sessions over open networks like Wi-Fi hotspots that are set up in the common open manner. But this also has a side benefit where destination Web sites don’t know what search terms are passed to them, thus making it harder to tune search search listings without the use of tools like Google Analytics.

The key obvious benefit is to stop the appearance of “poisoned” search listings that lead users to “scareware”. These are Trojan Horses which appear to be legitimate system utilities but are intended to separate the user from their money by spruiking horrendous system conditions to the user. Of course, I have had to deal with this menace by removing these programs from various friends’ computers.

The only limitation with this setup is that it only applies by default for people who are currently logged in to a Google service of some form like GMail. For users who share computers, they would have to start a Google-services session then head to the Google.com Website to start searching; or simply remember to type the https prefix. This can be achieved through the Google bookmark, favourite item or Intranet page hyperlink pointing to https://www.google.com .

At least this is another Web security item that offers more than is typically highlighted.

Another increasingly-popular social network service is Twitter. This was intended as a “microblogging” service but some people have been implementing it as another social network.

Like the similar Facebook article that I have written for Facebook novices, this will list who will see which information you post when you use Twitter. Here, I would recommend this as a bookmark or favourite or as something to print out and keep near the computer or have available on the business intranet.

Twitter lexicon

Who sees what

What to do where on Twitter

If someone follows you on your Twitter account, it may be a good idea to check that person out when you receive the notification by email. Here, you could then consider following that person and being able to use direct messaging as appropriately.

It is also worth noting that a lot of social Twitter users use “textspeak” (abbreviations and acronyms for common expressions used when sending SMS messages) when they send out Tweets. So you may have to use resources like the Urban Dictionary to help you understand some of this lingo.

Introduction

You might be considering setting up that complimentary hotspot for your guests to use but there are certain risks to be aware of concerning the security of your business and your guests’ data and identity.

Risks that have been highlighted include confidential-data and identity theft performed against customers as they work this data from their portable devices; as well as clandestine computer activity like the downloading or serving of illegal content; or the distribution of spam email, performed using computers connected to public Internet networks like wireless hotspots.

As well, there may be other imperatives required of people who provide Internet access to the public. These imperatives, asked for by various local, state / regional or national governments may include requirement like keeping a log of whom you provide Internet access to or requirement for session tracking. Therefore I am not therefore in a position to explain how to satisfy these needs and it is best to seek local advice on this topic.

Therefore, your business should know who is using the hotspot service and be able to make sure that the people who benefit are the business’s customers or guests. This means that the customers or guests are actually going to be operating the network device that they use when connecting to the service and also operate it on your premises. As well, your customers know that they are going to actually benefit from your hotspot service when they log in to this service.

The cafe or bar as a “second office”

This is more important for the cafe as an increasing number of businesspeople use these places as “second offices” where they can work without unnecessary office-borne distraction or as places where they meet their colleagues or business partners. Here, these people will be working on workplace-confidential data and most of these workplaces place high value on the security of this data as it travels between the laptop and the workplace’s main computer systems.

In fact, the reason I have decided to publish this article was because a cafe that I regularly visit in Camberwell (Melbourne, Australia) had just started to offer free public Wi-Fi access but I had wanted them to provide a free Wi-Fi service that is safe for their customers. Here, they had an ordinary wireless router as the Internet service but they needed help in getting this service working properly and safely. They also wanted to make sure that this resource was available just to their customers as part of their customer service.

Your equipment

When you start out with your complimentary-use hotspot service, you may use a wireless router hooked up to a separate Internet service or use one with a “guest-access” or hotspot function and is connected to your common Internet service.

This should be set up to cover your public area such as the bar areas in your bar or the dining room in your cafe. In some situations, you may need to use an additional access point to cover larger areas or get your signal past thick walls. This is something I have covered in this site as a separate article.

As well, if your equipment works on 802.11n technology, it should be set to work in compatibility mode where it can work with 802.11g and 802.11n devices. This is to cater for the fact that most devices that are in circulation, especially smartphones, are likely to work with 802.11g technology and people may operate battery-operated 802,11n-capable devices in 802.11g mode in order to conserve battery runtime. 

Your SSID or Network Name

The SSID or network name is very important to your hotspot’s identity. Here, it should reflect your business’s name and have a reference to public or guest Wi-Fi service. An example that I used for a basic complimentary-use Wi-Fi hotspot that I set up at a coffee lounge just recently was MORAVIA-PUBLIC-WIFI. Here this reflected the coffee lounge’s name (MORAVIA) as well as stating that the service was a public Wi-Fi hotspot service hosted by this business. Therefore, you can then identify any “evil-twin” or “fake-hotspot” devices left on or near the premises that exist to capture customers’ sensitive data.

This SSID must be used in all signage advertising your hotspot and the signage must reflect your company’s identity. This means that it either has your company logo and name or be in your company’s styling. In this case, the signage about the hotspot should at least exist beside the cash-register and the door, preferably at eye-level or near the main handle or pull.

Hotspot security

Basic security

Your hotspot network should be secured with a WPA-PSK passcode which your staff should give out to customers who want to use hotspot service. As well, the network should have wireless-client isolation enabled, so that customers who are using the hotspot cannot browse on to each others’ computers.

Previously, there wasn’t any wisdom in implementing link security on a public-use wireless network but now that most computers and handheld devices support WPA-based link security for wireless networks, adding this function to WPA-level is still worth it for achieving some control and security in a public-use wireless network.

It is still important to change the WPA-PSK passphrase regularly such as at least twice a month. Some environments may require the passphrase to the changed every week. This is so that it becomes hard to set up a “fake hotspot” using your service’s credentials or keep a computer logged in to the hotspot service without you knowing.

As well, your hotspot should properly support VPN pass-through for all protocols so that business users can log in to their workplace VPNs  without any headache.

Special hotspot-gateway devices

It may be worth knowing that if you want greater control over your public Internet service, it may be worth implementing a “docket-printer-based” wireless hotspot gateway like the Netcomm HS-1100, Solwise WAS-105R or Zyxel N4100.

Here, these devices direct users to a login page where they have to key in a session login and password that they transcribe from a paper docket that is printed from a docket printer attached to the hotspot gateway. If you intend to offer a paid service, these devices put you in a position to use the payment methods and paths that you use to accept payment for your goods and services.

This is unlike some other hotspot gateway setups that require the potential user to pay another company directly using their credit card or an account maintained by that other company using a payment form hosted by that hotspot. Typically, a lot of these setups are managed in a manner where you don’t have much control over how the service in provided and the service may be provided in a manner not dissimilar to how most vending and amusement machines are provided where you don’t own the equipment, representatives visit the premises to maintain the equipment and you get a small “cut” from the takings.

As well, the session login parameters that your users type in from these dockets exist only for a particular time limit. This is also important for people who run a paid service, but can be useful for managing complimentary service so you can be sure that the people who are using your service are your customers or guests who are in your public areas.

If you do run one of these dedicated hotspot gateway devices, such as a “docket-printer-based” device, the wireless network that these devices operate should still have WPA-PSK security with the passphrase changed regularly. The “docket-based” devices will list the WPA-PSK passphrase on that same docket so your customers can still log in to your hotspot from their device.

Branding options

If you do implement these devices, make sure that you know how to brand the customer-facing user interfaces.

Most of these devices can allow you to upload a graphic and integrate it in to the login interface or they can allow you to upload customised login screens or point to a Web server for the login interface graphics. The latter option may appeal to you if you have a good hand with creating basic HTML Web pages.

Here, make sure that you have your business name and logo and, if you can do it, set the colour scheme to your business’s colour scheme. As well, make sure that your business name appears on the access dockets that your hotspot gateway prints out.

Power outlets

With a hotspot, always expect that some of your customers will use the power outlets on your premises to power their laptops or smartphones from AC power to avoid compromising battery runtime. This is more so with customers are operating older equipment that has batteries that are “on their last legs” or are working VPN sessions in order to “pick up” files from work and want to be sure this is done properly.

Here, a few double outlets near the tables can work wonders here and if an outlet is used for powering a device like a lamp, the device could be connected to the outlet via a multi-socket power-board with extra outlet space for a few appliances.

Conclusion

Once you know how to choose and set up your public-use wireless network properly, you can make sure that this is a service that your customers and guests will benefit from fully. This may even put your business “on the map” as far as customer-service extras are concerned.

News Article

Phone scammers target computer owners | ABC News Australia

Alert over scam phone calls about bogus computer virus | Wolverhampton City Council (United Kingdom)

My Comments

Just today, a friend of mine who I live with received a phone call on our house phone saying that their computer is infected with a virus and she was being instructed to do certain procedures on the household computer. Luckily she told the caller to hang up and put the phone down and didn’t head towards the computer. This was very good for someone who hasn’t much familiarity with computer technology.

This is part of a scourge that is affecting home and small-business computer users and computer novices are more likely to be at risk of this fraud because they may not know the difference between a virus attack or a computer being very sluggish.

There has been some press coverage and coverage in government consumer-protection Websites and bulletins around the world concerning this topic, with a lot of weight placed on reference to the scammers claiming they represent Microsoft. But the scammers can pretend they represent other legitimate IT companies like antivirus software firms.

If you needed outside help regarding computer issues, you will most likely have initiated the contact yourself, whether through your computer-expert neighbour, relative, friend or acquaintance; your workplace’s IT support if your workplace has such a department or your computer supplier.

What these callers tend to do is to lead the user to download and install malware, usually in the form of spyware or fill in forms with email addresses and credit-card details in order to facilitate various forms of fraud against the user. This can be in the form of milking their bank account and credit-card of useable funds, inundating their email inbox with spam email or stealing other information that is confidential to them or their business operations.

So I would encourage all users to be careful of unfamiliar “call-centre” phone calls about computer viruses or similar issues and simply hang up when they receive these calls. As well, they should keep their desktop security programs on their computers up-to-date so as to protect against the various scams.

Other tactics that you may consider would be to threaten the scammers with legal action or question them about whether they can do business legally in your country. A good example would be asking them for their tax-registration details that are required of them if they do business in your country, such as the VAT registration details if you are in Europe or the Australian Business Number if you are in Australia.

Article

Mobile Users More Susceptible to Phishing Scams – www.enterprisemobiletoday.com

My comments

Why are mobile (smartphone and tablet-computer) users more susceptible to phishing scams?

The main reason is that the operating interface on the mobile computing devices is totally different to the operating environment on a desktop or laptop computer.

One main reason is that most of these devices don’t have a large display area in their Web browsers or email clients due to them having smaller display screens. This leads to the software designers designing a “clean and simple” user-interface for software pitched at these devices with minimal controls on the interface; which eliminates such concepts as fully-qualified email addresses and URLs. A lot of these devices even conceal the address bar where the user enters the URL of the page to be visited unless the user directly enters a URL that they intend to visit. Similarly, the email client only shows the display name for the incoming email, especially in the commonly-used “list-view”.

It is also augmented by the lack of a “B-option” interface in a mobile operating system. This is compared to what is accepted in a desktop operating environment with functions like right-clicking with a multi-button mouse or using Ctrl-Click on a single-button-mouse-equipped Macintosh to gain access to a context-sensitive secondary menu. Similarly, all scientific calculators used an [F] key and / or an [INV] key to modify the function of formula buttons either to gain access to the inverse of a formula or obtain another formula.

Such an option would allow the user to select a “function” button before selecting the option or displayed item in order to open a context-sensitive secondary-function menu or select a secondary function.

This discourages users from checking the URL they intend to click on in an email or the fully-qualified email address for an incoming email.

What could be done?

The Web browser and email client could support “phish detection” which could provide a highly-visible warning that one is heading to a “phishy” Web site or receiving a suspicious email. This function is just about provided in every desktop email client that most of us use but could be implemented in a mobile email client. Similarly, an email service could integrate filtering for phishy emails as part of its value-added spam-filter service.

There could even be the ability to have a “magnifying glass” touch button on the browser or email-client user interface which, when selected before you select an email address or URL, would show the fully-qualified email address or URL as a “pop-up”. This would have the domain name emphasised or written in a distinct colour so you know where you are going. This same interface could also be in place if one enters a URL directly in to their Web browser.

The mobile browsers could also support the Enhanced Validation SSL functionality through the use of a distinct graphic for the fully-validated sites. As well, a wireless-broadband provider or Wi-Fi hotspot could offer a “phish-verify” proxy service so that users can see a “red flag” if they attempt to visit a phishy Website similar to what happens in Internet Explorer when a user visits a suspicious Website.  This is similar to how some mobile providers warn that you are heading to a website that isn’t part of their “free-use” Website list and they could integrate this logic in to these proxy servers.

Conclusion

In general, the industry needs to look at the various user scenarios that are or are likely to be in place to improve secure Web browsing and email. Then they have to enable user-experience measure that can allow the user to verify the authenticity of Websites and emails.

This is more so as the small screens end handheld devices end up as the principal Web user interface for people who are on the move. It will also become more so as the “10-foot” TV interface, with its large screen with large text and graphics, D-pad navigation technique and use by relaxed and mostly-tired viewers relaxing on comfortable furniture becomes a mainstream “lounge-room” interface for the Web.