Article

Mobile Users More Susceptible to Phishing Scams – www.enterprisemobiletoday.com

My comments

Why are mobile (smartphone and tablet-computer) users more susceptible to phishing scams?

The main reason is that the operating interface on the mobile computing devices is totally different to the operating environment on a desktop or laptop computer.

One main reason is that most of these devices don’t have a large display area in their Web browsers or email clients due to them having smaller display screens. This leads to the software designers designing a “clean and simple” user-interface for software pitched at these devices with minimal controls on the interface; which eliminates such concepts as fully-qualified email addresses and URLs. A lot of these devices even conceal the address bar where the user enters the URL of the page to be visited unless the user directly enters a URL that they intend to visit. Similarly, the email client only shows the display name for the incoming email, especially in the commonly-used “list-view”.

It is also augmented by the lack of a “B-option” interface in a mobile operating system. This is compared to what is accepted in a desktop operating environment with functions like right-clicking with a multi-button mouse or using Ctrl-Click on a single-button-mouse-equipped Macintosh to gain access to a context-sensitive secondary menu. Similarly, all scientific calculators used an [F] key and / or an [INV] key to modify the function of formula buttons either to gain access to the inverse of a formula or obtain another formula.

Such an option would allow the user to select a “function” button before selecting the option or displayed item in order to open a context-sensitive secondary-function menu or select a secondary function.

This discourages users from checking the URL they intend to click on in an email or the fully-qualified email address for an incoming email.

What could be done?

The Web browser and email client could support “phish detection” which could provide a highly-visible warning that one is heading to a “phishy” Web site or receiving a suspicious email. This function is just about provided in every desktop email client that most of us use but could be implemented in a mobile email client. Similarly, an email service could integrate filtering for phishy emails as part of its value-added spam-filter service.

There could even be the ability to have a “magnifying glass” touch button on the browser or email-client user interface which, when selected before you select an email address or URL, would show the fully-qualified email address or URL as a “pop-up”. This would have the domain name emphasised or written in a distinct colour so you know where you are going. This same interface could also be in place if one enters a URL directly in to their Web browser.

The mobile browsers could also support the Enhanced Validation SSL functionality through the use of a distinct graphic for the fully-validated sites. As well, a wireless-broadband provider or Wi-Fi hotspot could offer a “phish-verify” proxy service so that users can see a “red flag” if they attempt to visit a phishy Website similar to what happens in Internet Explorer when a user visits a suspicious Website.  This is similar to how some mobile providers warn that you are heading to a website that isn’t part of their “free-use” Website list and they could integrate this logic in to these proxy servers.

Conclusion

In general, the industry needs to look at the various user scenarios that are or are likely to be in place to improve secure Web browsing and email. Then they have to enable user-experience measure that can allow the user to verify the authenticity of Websites and emails.

This is more so as the small screens end handheld devices end up as the principal Web user interface for people who are on the move. It will also become more so as the “10-foot” TV interface, with its large screen with large text and graphics, D-pad navigation technique and use by relaxed and mostly-tired viewers relaxing on comfortable furniture becomes a mainstream “lounge-room” interface for the Web.

What is remote-access and VPNs

The concept of remote-access and VPNs is primarily about gaining access to computer resources located in a location that is physically distant from where we are. The typical applications that we talk of are access to business data held out our small business’s shopfront from our home office’s computer or gaining access to data as we travel.

The method that is usually implemented is to set up a Virtual Private Network or VPN which is a virtual secure network link between one or more computers in one network and computers in another network. This link is hosted over another network infrastructure like an Internet service and acts as the secure data “tunnel” or path between these networks.

This will typically allow one to “draw down” files held on a remote hard disk or more likely use a “remote desktop” program to operate a computer from afar. The latter application would typically be performed using programs like VNC or Microsoft’s Remote Desktop / Terminal Services with a server component running on the host computer (which has the data and programs) and a remote-terminal client program on the computer that the user is working from.

One of Draytek's VPN-endpoint ADSL modem routers

Previously, a VPN was based around two Internet-connected computers with one, typically a file server, being a “VPN server” and the remote computer being something like a laptop or home computer. Now the VPN can have a specially-enabled router as the “VPN server” or can become a secure link between two physical networks separated by an Internet connection and facilitated by specially-enabled routers. 

Two types of VPN

There are two types of VPN setup that are in use. They are the “Client to Box” setup and the “Box to Box” setup.

“Client-to-Box” – Remote computer to local network

The “Client to Box” setup has a user operating a single computer to gain access to the remote network. This is typically used to allow a mobile worker or a telecommuter to gain access to company resources from their laptop or home computer.

The computer runs a “VPN-client” program that is either part of the operating system or a separately-supplied program. Here, this program provides the login experience for the user and authenticates the computer to the main network. Then it effectively “bridges” the computer’s resources to that network.

Single-Client Remote Access VPN

“Box-to-Box” – Connecting multiple logical networks

The “Box to Box” setup is simply a secure link that is established between networks established in different locations. The typical reason to do this is to avoid the costs of renting a dedicated line between the locations and use the economies of scale that the Internet offers. This is typically established with the use of special “VPN endpoint” routers joining the networks and these routers create a secure encrypted “tunnel” for the data to move between the networks.

"Box-to-Box" VPN connecting two networks

Relevance to the small business and home users

These VPNs do appeal to small businesses and home users in many ways. One is to allow a shopkeeper to have access to data held at either their home office or their shop from the other location. Similarly, a small-business owner can establish a branch of their business in a new location and make sure they have access to the business resources at the main location from the branch’s network.

Another example for a “client-to-box” setup is to allow a tradesman or similar worker to gain access to customer data held on his home-office computer from the road through the use of a laptop computer connected by a wireless-broadband link or use of a wireless hotspot.

There is even the prospect of home users using this VPN technology to gain access to media held on a home media server from remote locations. One example would be to “pull up” audio material held on the home media server from one’s car using a wireless-broadband link to download or stream the material. Another example would be to have the same media that you have “at home” available on a home network installed at a secondary home that you own or rent.

As well, it could be feasible to use VPN technology as part of home security and automation, especially when it comes to managing remote properties.

Similarly, there can be the ability to support the use of the home network’s facilities in households where one or more members maintain separate Internet services and networks. Examples of this may include a business that is operated from home and a separate Internet connection for business-owned equipment; lodgers, students who want to have their own Internet use on their own terms

Limitations with the current technology

Hard to provision

The main limitation for home and small-business users when dealing with the VPN is that the VPN is typically hard to provision, whether it is to set up for the first time or to adapt it to suit future needs. 

The user need to make sure each location’s local network uses a different IP address range which would be a difficult task especially as most small networks are set up to the IP-address specifications that are determined by default when you get the network-Internet “edge” router.

Then they need to know the VPN protocols, security protocols and the VPN passphrase and set these in the “hub” VPN endpoint. They have to make sure this is accurately copied and copy these details to the “spoke” VPN endpoints at the remote locations. Here they may become confused with determining which is “outbound” and which is “inbound” for each tunnel when configuring each endpoint.

They would also have to make sure that one of the VPN endpoints or the one that is to be the “hub” endpoint either has a fixed Internet IP address or can support a dynamic DNS service like DynDNS.org or TZO and is set up for this service.

Most of these tasks would then daunt most home and small-business computer users unless they had a lot of detailed computer knowledge and skills.

Limited protocol and application set

Most VPNs can only handle the protocols associated with bulk file transfer between two or more general-purpose printers. They don’t properly support device discovery for other devices which is important for the home and small-business user.

As well, they don’t work properly when it comes to streaming of real-time media between sites due to issues with streaming protocols and quality of service. Here, VPN applications involving these applications may have to implement application-layer gateways to facilitate the QoS and protocol needs.

Action to facilitate these networks

The UPnP Forum have released the “RemoteAccess” Device Control Profile for facilitation remote access and VPN use especially when it comes to supporting UPnP-compliant devices on the “other side” of a remote access link or VPN tunnel from “your side”. The first version is pitched at the “client-to-box” VPN setup, mainly to allow smartphone and laptop users to gain access to media on the home network. The second version, to be coming over the next year, is intended to support “box-to-box” setups like multi-site “super-networks”.

This has been released in conjunction with the “ContentSync” Device Control Profile which allows for synchronising of content collections (or parts thereof) between two UPnP AV MediaServer devices.

It has then made a relevant case for home users to value VPN and remote-access technology for personal-media applications such as keeping copies or subsets of media libraries at other locations or playing media held at one location from another location.

What needs to happen

Improve provisioning experience

The routine associated with provisioning a remote-access setup or VPN “super-network” needs to be simplified in a manner similar to what has happened to Wi-Fi wireless networking. Here, this was facilitated by the user not needing to work out any new data except to identify a wireless-network segment via its SSID.

In a VPN or remote-access network, the user sets up a “hub” endpoint which would work on machine-determined VPN protocol settings. Here, the user determines the location name, dynamic-DNS service or fixed IP address; and the VPN network password.

As well, a dynamic-DNS service that has a lot more “meat” such as increased reliability could be a service that is sold by carriers and Internet service providers as a value-added service. These services could typically be packaged as a product differentiator between different Internet-access-package lineups or just simply as an add-on item.

Then the user sets up a “spoke” endpoint or client terminal by providing the fully-qualified location name and the VPN network password as well as an identifier for the “spoke” endpoint.

This setup could support the use of machine-generated passwords that have been successfully implemented with Windows Connect Now easy-Wi-Fi setup method in Windows XP Service Pack 2 and Vista; as well as the HomeGroup password in Windows 7. Similarly, there could be support for configuration files like what has happened with Windows Connect Now – USB setup where a configuration file is uploaded to a Wi-Fi router or client device to facilitate quick wireless-network enrolment.

A client-to-box setup could be set up with the user entering the VPN name and password in to a VPN client program that is part of the computer’s or smartphone’s operating system.

Site-local subnets (logical networks)

The provisioning process for a “box-to-box” remote-access network should make it easy to create site-local subnets that are peculiar to each logical network. This could require the “hub” endpoint to keep track of the subnets and cause “spoke” endpoints to determine new subnets as part of the setup process.

It can include the ability to reinforce a DHCP “refresh” so that all network devices that are in a logical network obtain new IP addresses if the addressing scheme has to be redefined for that network. This is because most network devices in home and small business networks are allocated IP addresses using DHCP rather than the user defining them in order to simplify setup of equipment on these networks.

Use of a logo for easy-setup VPN systems

A VPN or remote access system needs to work to an industry standard that is supported by many vendors. Here, equipment and software that complies to this standard needs to be identified with a trademark and  logo which denotes this compatibility so customers can choose the right hardware and software for an easy-to-provision remote access setup.

Retroactive upgrading programs

There are small businesses who run VPN setups that are typically based on VPN-endpoint routers that have existed for a long time and are currently in service. The standards for providing “easy-setup” VPN systems could be retroactively implemented in these units by applying updated firmware that incorporates this functionality to existing VPN-endpoint routers. This may happen more easily for devices that are based on open-source firmware.

Conclusion

Once the industry makes it easier for home and small-business users to establish or manage their remote-access setups and VPN-based multi-premises super-networks, the kind of features that larger businesses take for granted can be of benefit to this class of user.

Facebook started it. Windows Live Photo Gallery has implemented it since the 2010 version and made it easier with the 2011 version.

What is people-tagging

The feature I am talking about here is the ability to attach a metadata tag that identifies a particular person that appear in a digital image. These implementations typically have the tag applied to a specific area of the photo, usually defining the face or head of the person concerned. It will also become available in current or up-and-coming versions of other image-management programs, photo-sharing services, DLNA media servers and the like.

In the case of DLNA media servers, one of these programs could scan an image library and make a UPnP AV content-directory “tree” based on the people featured in one’s photo library.

Initially the concept, especially the Facebook implementation, was treated with fear and scorn because of privacy invasion. This is because this implementation allows the metadata to be related to particular Facebook Friends and also allows the photo to be commented on by other Facebook Friends. Now the Windows Live Photo Gallery application attaches this metadata in a standardised XML form to the JPEG file like it does with the description tags and geotags. There is the ability to make a copy of this file without the metadata for use in posting to Internet services.

A relevant implementation idea

One key benefit that I would see with this data when implemented with electronic picture frames, HDTVs and similar devices is the ability to overlay the tags over the picture when it is shown. This could be achieved by the user pressing a “display” or similar button on the device or its remote control. Devices with touchscreens, stylus-operated tablet screens or other pointer-driven “absolute” navigation setups could support a function that shows a “people tag” as you touch areas of the image.

Benefit to Alzheimers sufferers

Here, this feature could help people who suffer from Alzheimer’s or other dementia-related illnesses by helping them remember whom their family members or friends are. If the user is using an image-management program or DLNA media-server setup capable of using these tags, they can call up a collection of images of the person they think of and have those images appearing on the screen. If the device has a communications-terminal function like a telephone, one of the images can be used as an index image to remember the correspondent by. This function could be extended by the use of an automatically-updated index image or a screenshow that shows “key” images of the person.

Improving on the idea

To make this work, there needs to be an industry standard that defines how the people-tag metadata is stored on the JPEG file. As well, the standard has to support functions like one or more separate “nickname” fields for each of the people that can be displayed as an option.  This is because a person may be known to one or more other people via a nickname or relative-shortcut name (Mummy, Daddy, Nonna, etc).

Another issue is to encourage users to establish consistency whenever they tag up a collection of images. This could be achieved through “batch-tagging” and / or improved facial recognition in image-management tools. This may be an issue if two or more people are tagging images from their own collections to serve a third collection and they know the people via different names.

Conclusion

Once we cut through the hysteria surrounding people-tagging with digital images and focus on using it as part of desktop image-management systems rather than social networks, we can then see it as a tool for helping people remember whom their loved ones are.

Article

E-Government-Offensive im Microsoft-Browser | news.ORF.at (Austria – German language)

My comments and brief interpretation

Judging from my basic understanding of the German language together with use of Google’s machine translation, I had “got the gist” of this situation which would be considered hostile to the European Commission’s agenda concerning Microsoft’s Internet Explorer browser.

What I was reading here was that the federal government in Austria were placing heavy emphasis on Internet Explorer 8 as part of their “e-government” initiative. This was including a downloadable toolbar add-in amongst obvious page-optimisation for this browser.

Most likely, I would suspect that, like most large organisations, the Austrian government uses Internet Explorer 8 as part of their standard operating environment and they expect that most users in that country may have stuck with IE8 even during the “Browser Choice Screen” switchover. One could say that this government could get away with this practice because many public and private organisations supply iPhone client apps to make their “front-end” useable on an iPhone which may be platform-specific.

What I would like to see with this is that if the government sites become less useful or unable to fulfil their function because of the preference for a particular browser is concerned, then the sites should be organised to at least fulfil their function no matter the desktop-computer user agent.

The current situation

Typically, a printer or “all-in-one” comes with a CD that has a monolithic driver and application set for the device. The files on this disc are also available at the manufacturer’s Website in their latest form and / or ported to different operating systems.

The current problem with this method of printer installation is that it is assumed that every computer has a working optical drive built in to it. The situation here is different in reality because a computer like a netbook or nettop may not have an integrated optical drive and there is a common situation where optical drives are likely to fail. This is more so with the slimline “carriage-load” optical drives that are part and parcel of most laptops that are in the field and are becoming part of the equation with small-footprint desktop computers.

The market might prefer the use of a USB memory key that has all this software, especially due to netbooks and “thin-and-light” notebooks that don’t have optical drives becoming commonly available. But this memory key, like the CD, may end up being lost through the life of the printer simply due to common misplacement. There is even the factor that the files may be wiped by accident as a person intends to “stuff” a memory key with more data to take with them.

What can be done

Use of fixed onboard storage

I would prefer the printer, especially any device that offers network or fax functionality, to use fixed onboard storage. A lot of the “all-in-ones” support local removeable storage in order to permit “there-and-then” printing of digital images held on a camera’s memory card or to support “scan-to-memory” functionality, but the fixed storage could take things further.  The USB host port on a lot of these printers may be able to be used beyond connecting PictBridge-enabled cameras. In most cases, this port may be available for one to plug in a USB memory key to print documents or images held on that memory key.

The fixed onboard storage can extend printer functionality and increase operation efficiency in may different ways.  For example, it could come in handy for queuing documents that are to be printed thus taking the load off the host computers; or providing for enhanced fax functionality like “after-hours” fax transmission (to take advantage of off-peak call costs) or “hold-without-print” fax reception for whenever the machine is out of paper / ink or as a security measure. With the scanner, this could come in handy for “scan-to-email” or “pick-up-from-machine” scanning where you scan the hard copy to on-machine storage and use your computer to visit the on-machine storage when collecting the scanned images . In the case of “there-and-then” photo printing, the fixed storage can come in handy with holding the images that are to be printed so that the user can remove their camera card or PictBridge-connected camera and continue taking more pictures.

Relevance to printer setup

As far as the printer-setup routine goes, a part of this storage could be used for holding driver files for most platforms.

Local USB connection

If the printer is connected directly to the computer via a USB cable, the fixed storage could be presented as a Mass-Storage Device. Here, the storage would appear as another volume of the file system and the operating system would point to that volume whenever it has to load the drivers as part of its “plug-and-play” peripheral installation whenever a printer is connected to a computer running Windows or MacOS X. Linux users could find the necessary binaries and source files when they mount the internal storage to the “*NIX” file-system tree.

This practice is totally similar to how the drivers and supplementary software are stored on one of those USB wireless-broadband modems. Then, if the computer’s operating system doesn’t have native support for wireless broadband, the user loads this software directly from the broadband modem.

Network connection

If the printer is connected to an IP-based network like a home or office network, the fixed storage, especially the driver-files area, would be presented as a CIFS, FTP or HTTP network volume readable to all users and device-initialisation methods like “Point and Print”, UPnP, DPWS and Apple Bonjour to locate the drivers on this storage and load them in to the computers.

Keeping the drivers up to date

The user could keep the drivers up to date by running a “driver-update” program that exists on the printer’s fixed storage if the printer is connected directly to the computer. This program could poll the manufacturer’s Website for newer drivers for particular operating systems and upload the newer drivers to the printer.

On the other hand, the user could set a network-connected printer to poll the manufacturer’s Website at regular intervals for driver updates for the nominated platforms.

Benefit for installers and users

This setup method can reduce the amount of work required to commission a new printer or enable printer access to a computer that has just come on to their site. There is less need to remember where driver CDs or USB memory keys are or the Web download details for the drivers, whether for existing operating systems or for newer platforms.

It can also cut down on the number of helpdesk calls or service visits that are needed whenever someone is setting up a printer for the first time, because they have trouble with balky optical drives (common with a lot of laptops), scratched discs or missing printer-software media.

A wireless hotspot or other facility that provides public Internet access can also benefit from offering a document-printout service to their customers without having to help the customers with adding printer drivers to their computer or make a CD or USB memory key full of driver files available to their customers.

Cost and design impact for manufacturers

The fixed storage could simply be based on a hard disk or flash memory with a very low storage capacity, say up to 160Gb and which is of a small form factor like a microdrive. This can avoid the manufacturer having to vary the printer’s industrial design to suit integrating local storage and the cost to provide the storage becomes very minimal.

This feature offers another point for manufacturers to differentiate the products in their range. An economy model could just have a small amount of memory with just enough room for the drivers and perhaps queuing memory for an average document whereas midrange and high-end units could have increased memory space for all of the functionality that comes with these models.

As I mentioned before, the same feature can provide added value to the printer or “all-in-one” device such as the device taking the load off the host computers or offering a raft of extra functionality. Manufacturers can also save money on preparing and packing optical discs or USB memory keys with their printers and avoid needing to handle support issues concerning these items.

Summary

Once we work towards a method of setting up printers without any need for extra media to come with the printers, we can then see a true “plug-and-play” printing experience for all printer users.