Data security Archive

Constance Hall puts trolling and bullying in the TV spotlight on Dancing With The Stars

Article

‘It hurts me so much’: Constance Hall targeted by trolls after reality TV announcement | Sydney Morning Herald

Dancing with the Stars: Constance Hall is ready to rumba! Here’s what you need to know about her | NowToLove.com

Video – Click or tap to play (Facebook page)

>

Previous Coverage on HomeNetworking01.info

Dealing with Internet trolls

Useful Resources

Crash Override Network – A resource centre based in the USA focused on online-abuse issues.

My Comments

Constance Hall, an online personality who has run a blog and is maintaining a Facebook public presence, is participating in the latest Dancing With The Stars season on Ten Network Australia. But because she had decided to star in this popular dancing talent-quest TV show, she got a lot of online abuse from various trolls. She often copped this abuse in her online presence due to how she looks, her outspokenness or her alternative lifestyle.

I have seen this happen with two of the contestants in MasterChef Australia season 10. One of them was accused of being close to George Calombaris because she had him taste a sample of something she was preparing before cooking it in quantity for the contest, while the other who was a nutritionist was turning out desserts which went against the grain of someone whose profession was about “clean eating”.

Even a few years ago, I observed a situation of online abuse directed at a cafe I was visiting because they wouldn’t accept the placement of a protest group’s campaign flyers near their till. It was while their neighbourhood was effectively being divided by the potential presence of a McDonalds fast-food restaurant with this protest group against the proposed development. I even defended that they had the right to defend their space but they even had to effectively shut down the commenting ability on their Facebook presence.

This kind of bullying has become very toxic with the Gamergate saga which was an attack on female game developers and female gaming journalists. This situation got to a point where there were death threats against one of the game developers along with the publication of her home address and phone number.

Typically this can be about a perverse innuendo about intimate relationships involving one or more of the victims; that the victim doesn’t “fit the mould” expected of them; or that they are “taking the wrong side” on an issue.

But Constance Hall produced a Facebook video addressing this kind of behaviour in the online space. Here, it was about stopping the acceptance and normalisation of online bullying and she had related it to what happens to children and teenagers. This video was even played as part of the introductory video package that preceded her dance routine in Dancing With The Stars. This meant that the issues being raised in the video had a good chance of being aired on prime-time traditional TV.

It is also part of her personal campaign to reach out to and encourage teenagers and other young people who are at risk of being bullied during their life’s journey especially in the online context.

A good practice to deal with trolling in an online environment would be to “insert” some common-sense in to the conversation. It may be best to approach it in a neutral form without appearing to take sides.

If it is getting out of control, most social-media platforms and some other online environments have the ability to “mute” participants or “hide” conversation threads so you don’t have them in your view. Social-media platforms also have the ability to block participants so they can’t follow you. As well, you may also have to report offensive behaviour to the online environment that it’s occurring in if it is becoming consistent.

If the online environment has the ability for users to upvote or downvote comments or threads, it can be used as a way to bury questionable comments. It is a feature that has appeared in some commenting platforms like Disqus or some online forum software, but is slowly being rolled out to major social media platforms like Facebook.

I applaud Constance Hall for how she has turned a negative experience around for something positive as well as underscoring a “you can do it” approach. This is more so for people who are or are likely to become an online personality who can easily fall victim to the ugly side of the Internet.

Send to Kindle

Computers that are secure by design are less likely to be bugs

Article

Dell XPS 13 8th Generation Ultrabook at QT Melbourne rooftop bar

Running modern always-updated operating systems and applications on your laptop is a way to keep your computing environment safe and secure.

Should you be scared of your laptop’s webcam? | ZDNet

Previous Coverage

Regular operating systems and their vulnerability to security threats

My Comments

An article appeared about whether one should be scared of their computer’s integrated Webcam and microphone. Here, a Webcam and microphone integrated in a computer or monitor or a USB Webcam that is always plugged in could turn the computer in to a surveillance device. But it highlighted the fact that recent versions of operating systems and productivity applications are “secure by design” when used to default settings.

It went through two different “what-if” hacking scenarios with different software combinations to see how hard they were to penetrate in order to “open up” the Webcam. The trigger point was to receive a “loaded” document with instructions that the user must follow, something that can be done through an email phishing attempt. Here, the document would have a macro that would install malware to open up the Webcam and stream its vision remotely.

The first scenario involves a Windows 10 computer running the latest version of Microsoft Word while the second scenario involved MacOS 10.14 Mojave and the latest version of LibreOffice. All operating systems and applications were run in the default protected mode but MacOS Mojave was temporarily configured to admit software from other sources in order to admit LibreOffice on to the Mac.

What was highlighted was the recent operating systems’ flagging or blocking of questionable software when the article’s author was asked to click on the required link within the document. The operating systems having their own basic endpoint-protection software underscored the ability to keep users safe from rogue software. Even productivity application software running documents supplied by email or from questionable sources in a protected mode to inhibit the execution of macros was also highlighted.

Creative Labs LiveCam Connect HD Webcam

Webcams, whether external like this one or integrated in a computing device, aren’t able to be bugs if you keep your computer software up-to-date with the latest patches and have it running “secure by default”.

This meant that neither the Webcam nor the microphone could not be accessed without the user knowing. It was demonstrating the recent “secure by design” approach of newer regular-computer environments that assured the average user of their data security. You may harden that attack surface by masking an integrated Webcam that is part of your computer or monitor, or disconnecting an external Webcam.

Unless you need to, keep your computer’s operating system, applications and endpoint-security utilities running in a “default-for-security” manner. This also includes updating them to the latest version, preferably with the software updating themselves.

If you are supporting other systems, don’t disable the computing environment’s security features unless you are sure they need to be disabled. Also educate the other users about data-security risks including the security warnings that will pop up on their computer.

If you are dealing with an old computer that is running a very old operating system and application software that doesn’t have the “secure by design” approach, you may have to cover or disconnect the Webcam. This is more so if it is found to be running the software “out of the box” without any patches or updates applied to it.

In most cases, the “secure-by-design” approach of most modern computing environments allows us to be able to use regular or mobile computer equipment in a secure manner.

Send to Kindle

Business-email compromise phishing now affects consumers

Article

House in Toorak

The sale of a property is an area where consumers can easily be caught up in a business-email compromise scam

Email crooks swindle woman out of $150K from home sale | Naked Security blog

An email scam has caused $200,000 in losses to real estate agents and home buyers in Victoria | Smart Company

My Comments

Ordinary householders can be at risk of a “business email compromise“ phish attempt in the same way as those in large business.

The business email compromise scam

This scam typically has the trickster research as much as they can about their victim and his or her employer or business partners. The victim that is usually targeted is someone who is likely to facilitate business-sensitive transactions or handles business-sensitive data like the payroll. They will find out whom they report to within the organisation such as the chief financial officer, or beyond the organisation like their accountant, lawyer or the tax department.

Then they place an urgent request to the victim to wire funds to a particular account as part of a wire fraud. Or they could be asked to reply to the email with organisationally-sensitive data like employee data typically presented as a “wages and tax-witholding” statement like a W2 (USA), P60 (UK and Ireland) or Group Certificate (Australia) to facilitate identity theft against the business’s staff.

How can ordinary people get caught up in these scams?

Apartment block in Elwood

as can having that rental apartment managed by someone else

But this kind of email scam can similarly happen with personal transactions, especially those that are high-stakes in nature, typically requiring the engagement of legal counsel. A key example of these transactions would be the sale of real-estate, businesses or investments.

Similarly, the probate settlement of a deceased estate or a property settlement after a divorce or separation could be at risk because these can involve a collection of items including high-value goods like real-estate or collectables. In that case, you are dealing with a real-estate transaction along with the valuation and sale of items.

It can also extend to transactions where you are delegating an agent to manage assets. Examples of these include trust funds typically for minor children, powers of attorney, or rental properties managed by a property manager or estate agent.

These transactions typically involve the frequent exchange of documents during the closure or settlement period where the transaction is in the process of being realised. They also involve dealing with different entities like conveyancers, law firms, estate agents and the like to facilitate the transactions. In addition, due to electronic transaction technologies like online document signing, there will be many emails between the parties that will have links to various resources like document repositories including document-signing platforms or results pages. They are also vulnerable towards the end of the settlement period where a last-minute change could be rushed in “under the radar”.

What can happen, for example, is that a fraudulent email could be used to “steer” the proceeds of a house sale away from the vendor’s account towards a fishy-sounding account.  Or funds due to an estate’s beneficiary could be steered away to an account not under the control of that person.

What can you do?

Compose Email or New Email form

Protect yourself against this scam by practising safe email habits

To protect yourself, make sure everything about the transaction is properly “cut and dried” as it evolves. This includes identifying and documenting sources, currencies and destinations of any funds along with procedures affecting the high-stakes transaction at the start of the transaction. Especially be careful of last-minute changes that crop up towards the end of the settlement.

Protect email accounts that are party to the transaction such as implementing security measures that the email service or client software would provide. With Webmail services,using multi-factor authentication may work as a secure measure, as will verifying that you log in to the service at its known proper address.

Carefully examine emails associated with the transaction to be sure they come from the proper email addresses. As far as links to online resources are concerned, make sure you know the proper domain name for these resources and that the links point to resources at that domain name. Attachments should also come through as proper representations of their filetype and you may have to use your endpoint security software to scan for document-laden malware.

Similarly, you may have to make sure Word documents or Excel spreadsheets are viewed in “Protected View” where macros cannot be run or the document can’t be edited. You would need to exit this mode if you are editing the document such as filling in a form or amending a spreadsheet, or printing it out.

In some cases, a regular personal computer running desktop applications and Web browsers may become a better device to use for verification than a mobile-platform device like a smartphone or tablet. This is because the desktop operating system and software tends to offer a more detailed user experience than their mobile equivalents.

If someone changes their email or other communications details, confirm these details through another communications means that you and them trust. You may have to use one of the prior or alternate communications details as a tool for confirmation if a significant number of details is changed such as through a change of employment.

You may have to double-check invoices, account numbers and the like directly with the other party especially if these details are changed. It is best to do this in person or on the phone using independently-verified phone numbers such as numbers you already have for them.

Avoid the use of untrusted networks like insecure public-access networks to do your sensitive business. Here, you may find that using a mobile-broadband connection and/or a VPN may work with this kind of business if you are away from home or office networks you can trust.

Be especially careful about creditors where the payment-destination account number, the payment method or currency changes during the course of your business. There may be a legitimate reasons such as a creditor changing banks or accounts for something that suits their needs better. But an impostor could be steering money that you owe them to an account under the control of the grifter who is impersonnating them.

If the high-stakes transaction has any international dimension about it, don’t be afraid to seek consular help regarding any aspect of that transaction. It may mean talking with your country’s foreign-affairs government department or the embassy or consulate associated with the foreign country. This is now important with people relocating overseas while maintaining assets like homes in their own or other countries, or goods being purchased via the Internet from foreign sellers.

For example, participants of a transaction conducted across international borders can use consular help to verify each others’ identities. Similarly, they can organise official translation of any official documents that are part of the transaction and are in a language that one of the parties doesn’t understand. Or you simply may need to confirm the legitimacy of that transaction in the foreign country including any steps you need to take.

Conclusion

We as consumers can become vulnerable to the business-email compromise scam when we are dealing with high-stakes transactions like real-estate purchases. To protect yourself, it’s about secure computing and email practices along with making sure everything in the transaction is “cut and dried” including verifying changes through another communications path you trust.

Send to Kindle

European Union’s data security actions come closer

Article

Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

The European Union will make steps towards a secure-by-design approach for hardware, software and services

EU Cybersecurity Act Agreed – “Traffic Light” Labelling Creeps Closer | Computer Business Review

Smarthome: EU führt Sicherheitszertifikate für vernetzte Geräte ein | Computer Bild (German Language / Deutschen Sprache)

From the horse’s mouth

European Commission

EU negotiators agree on strengthening Europe’s cybersecurity (Press Release)

My Comments

After the GDPR effort for data protection and end-user privacy with our online life, the European Union want to take further action regarding data security. But this time it is about achieving a “secure by design” approach for connected devices, software and online services.

This is driven by the recent Wannacry and NotPetya cyberattacks and is being achieved through the Cybersecurity Act which is being passed through the European Parliament. It follows after the German Federal Government’s effort to specify a design standard for routers that we use as the network-Internet “edge” for our home networks.

There will be a wider remit for EU Agency for Cybersecurity (ENSA) concerning cybersecurity issues that affect the European Union. But the key issue here is to have a European-Union-based framework for cybersecurity certification, which will affect online services and consumer devices with this certification valid through the EU. It is an internal-market legislation that affects the security of connected products including the Internet Of Things, as well as critical infrastructure and online services.

The certification framework will be about having the products being “secure-by-design” which is an analogy to a similar concept in building and urban design where there is a goal to harden a development or neighbourhood against crime as part of the design process. In the IT case, this involves using various logic processes and cyberdefences to make it harder to penetrate computer networks, endpoints and data.

It will also be about making it easier for people and businesses to choose equipment and services that are secure. The computer press were making an analogy to the “traffic-light” coding on food and drink packaging to encourage customers to choose healthier options.

-VP Andrus Ansip (Digital Single Market) – “In the digital environment, people as well as companies need to feel secure; it is the only way for them to take full advantage of Europe’s digital economy. Trust and security are fundamental for our Digital Single Market to work properly. This evening’s agreement on comprehensive certification for cybersecurity products and a stronger EU Cybersecurity Agency is another step on the path to its completion.”

What the European Union are doing could have implications beyond the European Economic Area. Here, the push for a “secure-by-design” approach could make things easier for people and organisations in and beyond that area to choose IT hardware, software and services satisfying these expectations thanks to reference standards or customer-facing indications that show compliance.

It will also raise the game towards higher data-security standards from hardware, software and services providers especially in the Internet-of-Things and network-infrastructure-device product classes.

Send to Kindle

Connected novelties and toys–security and useability issues that affect this product class

Giftware chook (rooster)

Connected versions of classic novelties and giftware will be subject to severe scrutiny

An issue that is rearing its ugly head is the rise in availability of connected novelties and toys. They are toys, novelties, giftware, seasonal decorations and other items that are able to connect with your computer or network. This connectivity function is often sold as one of the key marketing features with it able to work with an online service of some sort.

When I talk of toys, I don’t just talk of what children play with with but also other toys that adults end up playing with. These can include the so-called “executive toys” that live on the office desk for one to keep the other hand busy while they are on the phone.

Who typically sells these products

Toys and novelties are typically sold through a large range of online and bricks-and-mortar retailers, whether they be toy stores, gift stores, souvenir outlets or multi-facet outlets including department and discount stores. In some cases such as rural areas, a store like a newsagent’s could even sell novelties or toys.

Another factor is that novelties are given away to people and businesses as a gift or premium. This can typically happen as part of a “loot bag” offered out at conferences or tradeshows or simply used as a giveaway during a presentation to encourage audience participation.

Christmas wreath

Seasonal decorations that connect to the Internet can also be a security or setup risk

The common factor here is that most of the outlets that sell this kind of product are staffed by people who don’t have much technological know-how. This can affect the procurement process affecting whether the item exhibited at the gift fair should be stocked, or providing customer advice during and after the sale including how to get the connected novelty fully operational.

Artisans who make these gifts and novelties

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

Your Amazon Echo will soon be expected to work with a wide range of toys and novelties

There is also the fact that craftspeople like to make various toys, novelties, gifts and other items and sell them directly to customers or on a wholesale basis. But they do want to add some extra functionality like musicality or flashing lights to some of their product lines.

Typically, if they want this extra functionality in these gifts that they make, they have someone else make and supply the necessary components like clockwork movements or electronic-circuit kits to fulfil the extra functionality in a pre-assembled form.  Then the artisan installs the pre-assembled mechanisms or circuits in the toy or gift as part of putting the whole thing together.

It allowed these artisans to focus on their craftwork and build the items they want to sell, while being able to offer a wide range of goods. The same comments that apply to finished goods also apply to the various components and kits that are being sold to these artisans for their projects.

In this case, the artisans have to be aware of what they procure when they are being sold a “connected functionality” kit for installation in their projects. For them, they have to be aware of customer-support issues including setup and data-security issues regarding this extra functionality.

Connected modules for construction sets and similar hobbies

The same concept also extends to construction-set platforms like Meccano, Lego and FischerTechnik where children and adults build items using the pieces that are part of the respective platforms. In this case, anyone to do with these platforms could offer connected modules or kits that have the ability to control one or more items in their platform-based project like a motor, light or solenoid using an “Internet Of Things” approach. Here, these modules have to be able to seen as equivalent to a connected toy or novelty, especially if the idea is to implement cameras, microphones or GPS sensors.

It also applies to model railways, track-based car-racing sets and the like where they can be extended with functionality modules sold by the set’s vendor or a third party catering to these hobbies. Again the modules also need to be designed for security if they are capable of being part of the Internet of Things.

Use of these items

There is the desire for people to buy these toys and novelties as gifts for others in their life. It also includes the fact that the recipient wants to get the item “up and running” as soon as possible.

This will involve having the device connected to a host device through Bluetooth or USB or to a home network for proper reliable use. It should be about a standard process that is implemented for onboarding including the installation of any extra software.

Key security issues

A key security issue concerning the connected toy, novelty or similar device is that it can be an espionage item presented in an innocuous form. It can concern us both at home and in the office because we can easily be talking about items that are confidential and sensitive in our personal and business lives.

This was highlighted in a crime-fiction form to the Germanic viewership in Europe through the Munich-based Tatort “Wir Kriegen Euch Alle” (We Get You All) episode shown there on Sunday 9 December 2018. This story was focused around a connected doll that was given by strangers to various childrens’ families in middle-class Munich and was used as a surveillance tool to facilitate crimes against the families.

It underscored that Germany has some very strict policies where the sale of surveillance devices that are disguised as innocuous items isn’t allowed in that country. But, in the story, these dolls were imported in to Munich from a location in Austria which is a short drive away and facilitated by the Schengen Agreement in the European Union.

Let’s not forget the recent cyberattacks such as the Mirai botnet that were facilitated by dedicated-purpose devices like network-infrastructure equipment and videosurveillance cameras which were running compromised software. Then there are factors regarding data-storage devices and “bag-stuffer” novelties given away during business conferences where there is the possibility of them being loaded with questionable software.

What would I like to see

Security

There has to be identification on the toy’s or novelty’s packaging about what kind of sensors like location sensors, microphones or cameras that the device has, as well as whether the device transmits data to online services. This includes whether the device does this directly or via intermediary software running on other computer devices such as mobile devices running companion mobile-platform apps. Even a hang tag attached ti the novelty could highlight what kind of sensors or online services it uses which would be important for those items sold without packaging.

Preferably, this can be achieved through standard graphical symbols indicating the presence of particular sensors or the use of online services and social networks. It can also identify whether the toy’s or novelty’s functionality are dependent on these sensors or online services.

App stores and other software platforms that host “connector” software have to implement stringent permissions for these kind of devices especially if they use a microphone, camera or location sensor. There could be standards on whether the software is allowed to record from these sensors over a long time or keep the recording persistent on the host device or online service.

A limitation I would also like to see for connected toys and novelties that if they work with another computing device including a smart speaker, the connection can only be effectively within the same premises. This can be tested through the use of a peripheral-grade connection like Bluetooth or USB to a computing device or limiting the range of discovery for network-based devices to that of the same logical private network or subnet. Here, it represents all the devices on the LAN side of a home-network’s router and excludes devices existing on other logical networks served by the same physical device like “guest” or “community” networks.

As far as Bluetooth is concerned, the toys should implement authentication processes during the setup phases. Then the device ceases to be able to be discovered once it is paired with a host device. It is like what we are seeing with Bluetooth headsets and similar devices that have been recently released. They may also have to work on a limited radio range to prevent successful connection from a distance.

There should also be a simple “factory-reset” process to allow the user to place the toy or novelty in to setup mode, effectively wiping data from the device. This allows a recipient to effectively “claim possession” of the device as if it is new, avoiding the situation where they may be given something that is compromised to do what someone else wants it to do. It also applies to situations where you are dealing with ex-demo stock or gift-fair samples.

This should also apply to online services associated with these toys or novelties where the user has proper account control for the device’s presence on that service and any data collected by that device.

There are devices that observe particular functions according to a particular device class supported by many platforms like a novelty nightlight or illuminated Nativity scene that works with a “smart-home” setup or a novelty Bluetooth speaker. These devices have to work according to the standards in force for that device class and its connection to the host device or network. It is more important where the device may perform further tricks while running alongside dedicated vendor-created software but is able to have basic functionality without this software.

A software-level security approach could be achieved through an open-source or peer-reviewed baseline software that ticks the necessary boxes. This would apply to the firmware installed in the device and any apps or other companion software that is required to be run on other computing devices for the novelty to operate. It also includes a requirement that this software be reviewed regularly for any bugs or weaknesses that could be exploited, along with compliance requirements.

This could be assessed according to a set of European norms because the continental-European countries are very concerned regarding privacy thanks to their prior history.

As far as modules for integration in to toys, novelties and giftware is concerned, the modules should meet the same requirements as finished products that would have the same functionality. Craftspeople should also be aware of data security and user privacy issues when it comes to choosing modules for their projects that are dependent on computer devices or networks.

Setup and Connectivity

Another area that is a sore point for connected toys and novelties is bringing these devices on board for you to use. In a lot of cases, this is exacerbated through awkwardly-written instructions that can test one’s patience and not much knowledge about what is needed for the device to work fully.

The device packaging could use Wi-Fi, Bluetooth or other standard logos to indicate what kind of connectivity it needs to operate fully. This is to be highlighted with the “app store” logos for various operating-system app stores if the device is dependent on companion apps for full functionality. Similarly, use of other official platform logos can be used to identify compatibility with platforms like smart-TVs or voice-driven home-assistants.

Simple-yet-secure setup and onboarding procedures are to be paramount in the design of these devices. For Bluetooth-based devices, they should use “simple-pairing” such as pressing a button on the device to make them discoverable. This is even made easier with a trend towards “out-of-the-box” discoverability if the device isn’t paired with any host. Then the user activates their host device in “Bluetooth Scan” mode to discover the device,  subsequently with them selecting the device through its presentation name.

Windows, Android and iOS are even implementing simplified device-discovery routines for Bluetooth devices, with the ability to lead users to visit the app store to install complementary software. This will make things easier for users to get the toy or novelty up and running.

Wi-Fi-based devices would have to use WPS-PBC push-button setup, Wi-Fi Easy Connect, or other simplified setup processes for integration with the home network. It also applies to other network connection standards where you have to enrol the device on to that network.

Smart-home devices that implement Zigbee, Z-Wave and similar standards also have to implement simplified discovery protocols implemented in these standards to bring them on-board.

In relationship to security, I underscored the need for use of device-class standards as much as possible. But it also applies to connectivity and useability where a device that honours device-class standards is also easier to use because you are operating it the same for its peers.

Conclusion

This year will become a time where security and useability will be of critical importance when toys, novelties and other similar goods that connect to the home network and the Internet are designed and sold to consumers. Here, these issues may avoid these kind of toys ending up in disuse due to security or setup issues.

Send to Kindle

Amnesty International reports on recent email phishing attacks

Article

How Hackers Bypass Gmail 2FA at Scale | Motherboard

Hacker spoofing bypasses 2FA security in Gmail, targets secure email services | ZDNet

My Comments

Recently, it has been revealed that hackers were attacking users of secure email sites by compromising the two-factor authentication that these sites implement.

This has been found to be an attack perpetrated by nation-states against journalists, human-rights defenders, non-government organisations and their allies in the Middle East and North Africa over 2017 and 2018. Here, this user base were using GMail and Yahoo Mail Webmail services and Protonmail and Tutanota secure Webmail services that were compromised. This is because the Webmail setup typically allowed for a client-independent portable email front.

What was going on was that a phishing page was asking for the users’ email and password but this would trigger the software’s two-factor authentication routine. But the user interface was “steered” via a fake page asking for the one-time password that the user would transcribe from their mobile phone which would receive this value via text messaging. It then led to the creation of an app password, typically used for third-party apps to use the service, but was used by the hacker to sustain control of the user’s email account.

Oh yeah, there was the SSL authentication which would show a “green padlock” icon on the user’s Web browser, making the user think that they were safe. But the phishing that took place was facilitated using fake domain names that sounded and looked like the real domain names.

This loophole exploited the use of the “intact key” or “green padlock” symbol in a Web browser’s user-interface to indicate that the SSL certificate was intact and that the interaction with the Website is safe thanks to HTTPS. But users may not know they are with the wrong Website, which is the breeding ground for phishing attempts.

The other weakness that was called out was the requirement for end-users to transcribe the one-time password from an SMS message, software token app or hardware token in order to phish the account. This was aggravated through the use of an app password to allow third-party app access to the service. What is being preferred as a secure 2FA solution was a security key kept in the possession of the end-user that connects to the user’s host device via USB, Bluetooth or NFC.

Most of us can easily relate this process to using an ATM to take cash out of our account or a payment terminal to pay for goods or services using our plastic cards. Here, to facilitate the transaction, you have to present your card by inserting it in or touching it on an identified spot on the ATM or payment terminal then enter your PIN number in to the same machine.

Extended Validation SSL site as identified on Microsoft Edge address bar -

Extended Validation SSL site as identified on Microsoft Edge – notice the organisation’s legal name appearing in green text

The Websites that high-risk end-users rely on can use Extended Validation SSL or Organisation-based SSL certificates and other authentication measures to verify the Website they are visiting is the correct one. Extended Validation SSL has a stronger certificate that verifies the organisation it is associated with and implements the strongest encryption available for HTTPS. The user experience here will have a green bar in the browser’s address bar along with the typical padlock icon while the organisation’s legal name is written in the address bar before the URL. The Organisation-based SSL certificate doesn’t have the green bar or text on the user interface but lists the organisation’s legal name in the address bar. But some browsers like recent Chrome versions don’t implement the green highlighting of the legal name for EV SSL certificates.

This also includes the organisations keeping tabs on their Internet “real estate” of domain names to identify typosquatting risks and, perhaps, make further “land grabs” of domain names if they can afford it.  This is in conjunction with efforts like what Amnesty International were doing with Protonmail and Tutamota where they are made aware of fake sites and are given legal assistance to take them down.

Then browsers and similar user agents could highlight domain names in a more distinct manner so users can know where they are at. This would be more important with email clients or browsers implemented on “reduced-user-interface” platforms like mobile operating systems. As well, end-users in high-security-risk user groups could be trained to be aware of the domains associated with Websites they are visiting. Mobile browsers pitched to smartphones can also implement a way to show the organisation’s legal name on the user interface such as a caret-identified drop-down interface that comes alive with Organisational Validated or Extended Validated SSL certificates.

Webmail-based user interfaces and similar high-risk online services could move towards use of “transcription-free” two-factor authentication like FIDO-U2F-compliant security keys including software keys run on mobile platforms to provide a secure login user experience.

Similarly, token-based authentication could be the way to go for app-to-service authentication especially as we use native-client software to interact with online services. This avoids the creation of persistent “app passwords” to facilitate native client access to online services. Here I would see this as being important as something to be investigated as part working towards secure client-based email setups, especially as the client-based email provides a platform-native user interface for your email.

Each of these approaches has to be looked at in a manner to work with small and medium organisations who don’t have their own IT staff. This is more so as this class of organisation sees itself as “grown up” when it uses cloud-based line-of-business software. The issue here is to assure that authorised users have secure access to the proper service they are authorised to use.

This situation that Amnesty International raised could also bring forward the idea of non-profit entities that underscore data security for independent media and civil society. Here, it could be about extending and bolstering the Electronic Frontier Foundation’s efforts or building up legal-action funds and lawyer teams to provide legal remedies against cyber-attacks.

What is now being realised is data security has now become a human-rights issue rather than an economic necessity.

Send to Kindle

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

Send to Kindle

HP to start a bug bounty program for its printer firmware

Articles

HP OfficeJet 6700 Premium multifunction printer

HP to implement a bug bounty program to assure high-quality secure firmware for their printers like thisi OfficeJet.

HP Becomes the First Printer Maker to Launch a Bug Bounty | Tom’s Hardware

HP Launches $10,000 Bug Bounty for Printers | ExtremeTech

My Comments

Over the last few years, dedicated-function devices like printers, videosurveillance cameras, routers and the like have been identified as a weak point when it comes to data security.

This has been highlighted through some recent cyberattacks like the Mirai botnet attack which was driven by dedicated-function devices like videosurveillance cameras running compromised firmware along with recent security exploits associated with home and SOHO routers being able to run compromised firmware. There is also the fact that manufacturers are building the same kind of computer power in to these devices as what would be expected from a regular computer through the 1990s or 2000s. There is also the fact that these devices can be seen as an entry point in to a network that handles confidential data or be used as an onramp for a denial-of-service botnet.

Hewlett-Packard have answered the reality of firmware integrated within their printers by starting a bug-bounty program where software developers, computer hackers and the like are paid to “smoke out” bugs within this firmware. Then this leads to meaningful software updates and patches that are sent out to owners of these devices, typically through an automatic or semi-automatic installation approach. It is a similar practice to what Microsoft, Apple and others are working on to make sure that they are running high-quality secure operating-system and application software.

This has been seen as of importance for printers targeted initially at the enterprise market because they would be processing significant amounts of company-confidential data in order to turn out company-confidential documents. But this approach would have to apply to home, SOHO and small-business machines as well as the larger workgroup machines found within the enterprise sector. This is because these kind of machines can be used by people working at or running a business from home along with those of us in charge of small businesses or community organisations.

By HP setting an example with their printer firmware, it could become a standard across other vendors who want to maintain a culture of developing high-quality secure firmware for their dedicated-function devices. This is more so as the consumer and enterprise IT market raises expectations regarding the software quality and security that affects the devices they use.

Send to Kindle

U2F-compliant security keys now seen as phish-proof

Articles

Facebook login page

It is being proven that the use of a hardware security key is making the login experience phish-proof

Google Employees’ Secret to Never Getting Phished Is Using Physical Security Keys | Gizmodo

U2F Security Keys Show Extreme Effectiveness Against Phishing | Tom’s Hardware

Google: Security Keys Neutralized Employee Phishing | Krebs On Security

My Comments

An issue that is being raised regarding SMS-driven two-factor authentication is that it can be used to facilitate phishing and other fraud against the user’s account. Here, it relies on the user receiving an SMS or voice call with a key value to enter in to the login user interface and this is totally dependent on the SMS or call being received at a particular phone number.

The area of risk being highlighted is that the user could be subjected to social engineering to “steer” their phone number to a mobile device under the hacker’s control. Or the IT infrastructure maintained by your mobile telephony provider could be hacked to “steer” your phone number somewhere else. The ease of “steering” your mobile phone number between devices is brought about thanks to a competitive-telephony requirement to “port” mobile or local numbers between competing telephony-service providers if a subscriber wishes to “jump ship” and use a different provider.

Google have proven that the use of hardware security keys that are part of the FIDO Allance’s U2F (Universal Second Factor) ecosystem are more secure than the SMS-based second-factor arrangement used by most online services. This is a “follow-on” from the traditional card-size or fob-size security token used by some banking services to verify their customers during the login process or when instantiating certain transactions.

Here, Google issued all their employees with a U2F-compliant security key and made it mandatory that their work accounts are secured with this key rather than passwords and one-time codes.

Most of these keys are connected to the host computer via plugging them in to a vacant USB port on that host. But there are or can be those that use Bluetooth and / or NFC “touch-and-go” technology to work with mobile devices.

Why are these U2F security keys more secure than the SMS-based two-factor authentication or app-based two-factor authentication? The main reason is that the U2F security key is a separate dedicated hardware device that works on an isolated system, rather than a backbone system dependent on mobile-telephony infrastructure or software that runs on a computer device that can be exposed to security exploits.

For most users, the concept of using a U2F-compliant security key for their data relates it to being the equivalent of the traditional key that you use to gain access to your home or car as in something you possess for that purpose. Most U2F-compliant security keys that use USB or Bluetooth would also require you to press a button to complete the authentication process. Again this is similar to actually turning that key in the lock to open that door.

This has underscored the “phish-proof” claim because a person who uses social engineering to make an attempt on the user’s credentials would also need to have the user’s security key to achieve a successful login. It is something that is similar to what happens when you use an ATM to withdraw cash from your bank account because you need to insert your account card in the machine and enter your PIN to commence the transaction.

What kind of support exists out there for U2F authentication? At the browser level, currently Chrome, Opera and Firefox provide native support but Firefox users would need to enable it manually. At the moment, there isn’t much production-level support for this technology at the operating-system level and a handful of applications, namely password-vault applications, provide native support for U2F authentication.

The issue of providing support for U2F authentication at the operating-system level is a real issue thanks to operating systems having an increased amount of native client-level support for online services “out of the box”. It also includes the use of Web browsers that are developed by the operating system’s vendor like Edge (Microsoft Windows) and Safari (Apple MacOS and iOS) with the operating system set up “out of the box” to use these browsers as the default Web browser. As well, Microsoft, Google and Apple implement their own platform-wide account systems for all of the services they provide.

Other questions that will end up being raised would be the use of hardware-key authentication in the context of single-sign-on arrangements including social-sign-on, along with the 10-foot lean-back user experience involving the TV set. The former situation is underscored through the popularity of Google, Facebook and Microsoft as user credential pools for other online and mobile services. This is while the latter situation would underscore console-based online gaming, interactive TV and video-on-demand services which are account-driven, with the idea of being able to support simplified or “other-device” user authentication experiences.

What has been proven is that easy-to-use dedicated security keys are a surefire means of achieving account security especially where the main attack vector is through social engineering.

Send to Kindle

You can find out what Cortana has recorded

Article

Harman Invoke Cortana-driven smart speaker press picture courtesy of Harman International

You can also manage your interactions with the Harman-Kardon Invoke speaker here

How to delete your voice data collected by Microsoft when using Cortana on Windows 10 | Windows Central

My Comments

Previously, I posted an article about managing what Amazon Alexa has recorded when you use an Amazon Echo or similar Alexa-compatible device.

Now Microsoft has a similar option for Cortana when you use it with Windows 10. This is also important if you use the Harman-Kardon Invoke smart speaker, the Johnson Controls GLAS smart thermostat as long as they are bound to your Microsoft account.

Windows 10 Settings - Accounts - Manage My Microsoft Account

Manage your Microsoft Account (and Cortana) from Windows 10 Settings

In most instances such as your computer, Cortana may be activated by you clicking on an icon on the Taskbar or pressing a button on a suitably-equipped laptop, keyboard or other peripheral to have her ready to listen. But you may set her up to hear the “Hey Cortana” wake word to listen to you. This may be something that a Cortana-based smart device may require of you for expected functionality when you set it up.

This may be a chance where Cortana may cause problems with picking up unwanted interactions. But you can edit what Cortana has recorded through your interactions with her.

Here, you go in to Settings, then click on Accounts to open the Accounts screen. Click on Your Info to which will show some basic information about the Microsoft Account associated with your computer.

Privacy dashboard on your Microsoft Account management Website

Privacy dashboard on your Microsoft Account management Website

Click on “Manage My Microsoft Account” which will open a Web session in your default browser to manage your Microsoft Account. Or you could go directly to https://account.microsoft.com without needing to go via the Settings menu on your computer. The direct-access method can be important if you have to use another computer like a Mac or Linux box or don’t want to go via the Settings option on your Windows 10 computer.

Microsoft Account Privacy Dashboard - Cortana Interactions highlighted

Click here for your Cortana Voice interaction history

You will be prompted to sign in to your Microsoft Account using your Microsoft Account credentials. Click on the “Privacy” option to manage your privacy settings. Then click on the “Activity History” option and select “Voice” to view your voice interactions with Cortana. Here, you can replay each voice interaction to assess whether they should be deleted. You can delete each interaction one by one by clicking the “Delete” option for that interaction or clear them all by clicking the “Clear activity” option.

Details of your voice interactions with Cortana

Details of your voice interactions with Cortana

Your management of what Cortana has recorded takes place at the Microsoft servers in the same vein to what happens with Alexa. But there will be the disadvantage of Cortana not having access to the false starts in order to use her machine learning to understand your voice better.

These instructions would be useful if you are dealing with a Cortana-powered device that doesn’t use a “push-to-talk” or “microphone-mute” button where you can control when she listens to you.

Send to Kindle