Data security Archive

What will passwordless authentication be about?

Facebook login page

You soon may not need to remember those passwords to log in to the likes of Facebook

The traditional password that you use to authenticate with an online service is in the throes of losing this role.

This is coming about due to a lot of security risks associated with server-based passwords. One of these is for us to use the same password across many online services, leading towards credential reuse and “stuffing” attacks involving “known” username/password or email/password pairs. As well, the password is also subject to brute-force attacks including dictionary attacks where multiple passwords are tried against the same account. It also includes phishing and social-engineering attacks where end-users are tricked in to supplying their passwords to miscreants, something I had to rectify when an email account belonging to a friend of mine fell victim to phishing. This is facilitated by users creating passwords based on personal facts that work as aide-memoires. Passwords can also be stolen through the use of keyloggers or compromised network setups.

Managing multiple passwords can become a very user-unfriendly experience with people ending up using password-vault software or recording their passwords on a paper ore electronic document. As well, some applications can make password entry very difficult. Examples of these include connected-TV or games-console applications where you pick each character out using your remote control’s or game controller’s D-pad to enter the password.

You will be able to set your computer up to log you in to your online services with a PIN, fingerprint or other method

The new direction is to implement passwordless authentication where a client device or another device performs the authentication role itself and sends an encrypted token to the server. This token is then used to grant access to the account or facilitate the transaction.

It may be similar to multifactor authentication where you do something like enable a mobile authenticator app after you key in your online service’s password. But it also is very similar to how a single-sign-on or social-sign-on arrangement works with the emphasis on an authenticated-session token rather than your username and password as credentials.

The PIN will be authenticated locally nd used to enable the creation of a session token for your online service

There will be two key approaches which are centred around the exchange of an asymmetric key pair between the client and server devices.

The first of these will be the primary client device like your laptop computer or a smartphone that you are using the online service on. Or it can be a secondary client device like your smartphone that is holding the private key. You authenticate with that device using a device-local PIN or password or a biometric factor like your fingerprint or face.

Android security menu

The same holds true for your Android or other smartphone

The second will involve the use of a hardware token like a FIDO2-compliant USB or Bluetooth access key or an NFC-compliant smart card. Here, you activate this key to pass on the credentials including the private key to the client computer for your online session.

It is being facilitated through the use of FIDO2, WebAuthN and CTAP standards that allow compliant Web browsers and online services to implement advanced authentication methods. At the moment, Windows 10 is facilitating this kind of login through the use of the Windows Hello user-authentication functionality, but Android is in the process of implementing it in the mobile context.

There is effectively the use of a form of multifactor authentication to enable the cryptographic key pair between the client and server devices. This is based around the device you are using and the fact you are there to log in.

HP Elitebook 2560p business notebook fingerprint reader

The fingerprint reader on this HP Elitebook and similar laptops will become more important here

If the authentication is to take place on the primary client device like a laptop or smartphone, the device’s secure element like a TPM module in a laptop or the SIM card in a smartphone would be involved in creating the private key. The user would enter the device-local PIN or use the fingerprint reader to enable this key which creates the necessary session token peculiar to that device.

On the other hand, if it is to take place on a secondary device like a smartphone, the authentication and session-token generation occurs on that device. This is typically with the user notified to continue the authentication on the secondary device, which continues the workflow on its user interface. Typically this will use a Bluetooth link with the primary device or a synchronous Internet link with the online service.

The online service has no knowledge of these device-local authentication factors, which makes them less likely to be compromised. For most users, this could be the same PIN or biometric factor used to unlock the device when they switch it on and they could use the same PIN across multiple devices like their smartphone or laptop. But the physical device in combination with the PIN, fingerprint or facial recognition of that user would be both the factors required to enable that device’s keypair and create the session token to validate the session.

A hardware token can be in the form of a USB or Bluetooth security key or a NFC smart card. But this device manages the authentication routines and has private keys kept in its secure storage.

There will be the emphasis around multiple trusted devices for each service account as well as the same trusted device supporting multiple services. Some devices like hardware tokens will have the ability to be “roaming” devices in order to do things like enabling a new device to have access to your online services or allow ad-hoc use of your services on shared equipment such as the public-use computers installed at your local library. They will also work as a complementary path of verification if your client device such as a desktop PC doesn’t have all the authentication functionality.

Similarly, when you create a new account with an online service, you will be given the option to “bind” your account with your computer or smartphone. Those of us who run online services that implement legacy-based sign-in but are enabled for passwordless operation will have the option in the account-management dashboard to bind the account with whatever we use to authenticate it with and have it as a “preferred” authentication path.

Some of the passwordless authentication setups will allow use with older operating systems and browsers not supporting the new authentication standards by using time-limited or one-use passwords created by the authentication setup.

Questions that will arise regarding the new passwordless Web direction is how email and similar client-server setups that implement native clients will authenticate their sessions. Here, they may have to evolve towards having the various protocols that they work with move towards key-pair-driven session tokens associated with the particular service accounts and client devices.

There will also be the issue of implementing this technology in to dedicated-purpose devices, whether as a server or client device. Here, it is about securing access to the management dashboards that these devices offer, which has become a strong security issue thanks to attacks on routers and similar devices.

IT WILL TAKE TIME TO EVOLVE TO PASSWORDLESS

Send to Kindle

It will be easy to use your voice to delete what you previously said to Alexa

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

You will be able to use your voice to delete instructions you said to your Amazon Echo

Articles

How to See and Delete Alexa’s Recordings of You | Tom’s Guide

You Can Now Tell Alexa To Delete Your Conversations | Lifehacker

My Comments

An issue that anyone with a voice-driven home assistant device will be wanting to have control of is what the device’s platform has recorded when they spoke to that device. It also includes the risk of your device being accidentally triggered by situations such as an utterance of the wake word in a recording or broadcast. A previous article that I have written describes how to achieve this kind of control with your Amazon Echo or similar Alexa-based device.

But Amazon have taken this further for the Alexa platform by allowing you to speak to your Alexa-based device to delete recordings left on the platform during particular time ranges.

How to enable this function

You have to use the Amazon Alexa app or Website to enable this feature but you don’t have to install another Alexa Skill in to your account for this purpose. Once you are logged in to your Amazon Alexa app or Website, enter the Settings section which would be brought up under a hamburger-shape “advanced-operations” menu.

Then you go to your “Alexa Account” option in that section and bring up the “Alexa Privacy” menu. Go to the “Review Voice History” screen and you will see the  “Enable Deletion By Voice” option that you can toggle on or off. Having this feature on will allow you to use the voice commands that will be listed below. When you enable it, you will see a warning that anyone with access to your Alexa-based devices will be able to delete what was said to the Alexa ecosystem.

Commands

“Alexa, delete everything I said today” will cause your Alexa-based device to delete anything you said to it from midnight (0:00) of the current day to the time you gave that instruction.

For greater control, Amazon will roll out this other command: “Amazon, delete what I just said”. This will delete what was last said to your Alexa device and can be of use when handling a nuisance-trigger situation for example.

Conclusion

I would see the other voice-driven assistant platforms provide the ability to delete what you said under your voice control as a user-enabled option. This will be more so as the light shines brightly on what the Silicon Valley establishment are up to with end-user data privacy amongst other issues like corporate governance.

Send to Kindle

The UK to mandate security standards for home network routers and smart devices

Articles UK Flag

UK mulls security warnings for smart home devices | Engadget

New UK Laws to Make Broadband Routers and IoT Kit More Secure | ISP Review

From the horse’s mouth

UK Government – Department of Digital, Culture, Media and Sport

Plans announced to introduce new laws for internet connected devices (Press Release}

My Comments

A common issue that is being continually raised through the IT security circles is the lack of security associated with network-infrastructure devices and dedicated-function devices. This is more so with devices that are targeted at households or small businesses.

Typical issues include use of simple default user credentials which are rarely changed by the end-user once the device is commissioned and the ability to slip malware on to this class of device. This led to situations like the Mirai botnet used for distributed denial-of-service attacks along with a recent Russia-sponsored malware attack involving home-network routers.

Various government bodies aren’t letting industry handle this issue themselves and are using secondary legislation or mandated standards to enforce the availability of devices that are “secure by design”. This is in addition to technology standards bodies like Z-Wave who stand behind logo-driven standards using their clout to enforce a secure-by-design approach.

Netgear DG834G ADSL2 wireless router

Home-network routers will soon be required to have a cybersecurity-compliance label to be sold in the UK

The German federal government took a step towards having home-network routers “secure by design”. This is by having the BSI who are the country’s federal office for information security determine the TR-03148 secure-design standard for this class of device.  This addresses minimum standards for Wi-Fi network segments, the device management account and user experience, along with software quality control for the device’s firmware.

Similarly, the European Union have started on the legal framework for a “secure-by-design” certification approach, perhaps with what the press describe as an analogy to the “traffic-light” labelling on food and drink packaging to indicate nutritional value. It is based on their GDPR data-security and user-privacy efforts and both the German and European efforts are underscoring the European concern about data security and user privacy thanks to the existence of police states within Europe through the 20th century.

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

… as will smart-home devices like the Amazon Echo

But the UK government have taken their own steps towards mandating home-network devices be designed for security. It will use their consumer-protection and trading-standards laws to have a security-rating label on these devices, with a long-term view of making these labels mandatory. It is in a similar vein to various product-labelling requirements for other consumer goods to denote factors like energy or water consumption or functionality abilities.

Here, the device will be have requirements like proper credential management for user and management credentials; proper software quality and integrity control including update and end-of-support policies; simplified setup and maintenance procedures; and the ability to remove personal data from the device or reset it to a known state such as when the customer relinquishes the device.

Other countries may use their trading-standards laws in this same vein to enforce a secure-by-design approach for dedicated-function devices sold to consumers and small businesses. It may also be part of various data-security and user-privacy remits that various jurisdictions will be pursuing.

The emphasis on having proper software quality and integrity requirements as part of a secure-by-design approach for modem routers, smart TVs and “smart-home” devices is something I value. This is due to the fact that a bug in the device’s firmware could make it vulnerable to a security exploit. As well, it will also encourage the ability to have these devices work with highly-optimised firmware and implement newer requirements effectively.

At least more countries are taking a step towards proper cybersecurity requirements for devices sold to households and small businesses by using labels and trading-standards requirements for this purpose.

Send to Kindle

Dell issues a security advisory regarding its SupportAssist software

Article

Dell XPS 13 2-in-1 Ultrabook at Rydges Melbourne

Check that the SupportAssist software on your Dell computer like this XPS 13 2-in-1 is up-to-date to keep a secure computing environment

Dell Computers Exposed to RCE Attacks by SupportAssist Flaws | BleepingComputer

From the horse’s mouth

Dell

DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities (Support Notice)

Official Resources

Dell software download site

https://downloads.dell.com/serviceability/Catalog/SupportAssistInstaller.exe (Official software installer)

My Comments

A version of Dell’s SupportAssist computer-maintenance software that is currently installed on most recent-issue Dell desktop and laptop computers, including some of the Dell laptops reviewed on this site, has been found to have a bug that is a security issue. This bug will affect versions of this software prior to 3.2.0.90 .

Here, the bug exposes the SupportAssist software to a vulnerability that allows malicious code to be executed remotely. At the moment, it appears to happen on the same logical network, which can be a vulnerability for users using public-access networks that aren’t properly configured for client isolation.

It was discovered by a teenage software researcher called Bill Demirkapi, but other flaws regarding verification of software provenance were found in the prior versions of this software by another software researcher called John C. Hennessy-ReCar. Here, Dell practised responsible disclosure in reporting the SupportAssist software vulnerability and made sure there were newer properly-patched versions of this software.

A newer version (3.2.0.90) of this software has been released and made available to download from Dell’s servers. I have placed the link to the installer package and Dell’s software download site so you can make sure your computer is up-to-date. The software download site also has a “Detect PC” button to allow the site to properly identify the Dell computer it is being used from incase you find it difficult to properly identify the exact model yourself. You may also find that the existing SupportAssist software may update itself or suggest an update when it checks Dell’s servers for new software versions.

As well, copy the SupportAssist installer application referenced here to a USB memory key or portable hard disk because your system may keep the prior version of this application in its recovery partition and you would be running that version should you have to restore your computer from that partition.

A good practice that I would like to see regarding “recovery partitions” on today’s computers is to have a user-selectable option to “slipstream” or update these partitions with newer software versions. This can be of importance with major or minor revisions to the operating system or updated application, driver and support software.

It may be a good practice when you buy a prebuilt computer to visit its manufacturer’s support resources regularly to check for new software updates for hardware drivers or support software. You may also be alerted to any issues that you might come across with this system. As well, registering your system with the manufacturer may be of value when it comes to being alerted to software or hardware issues.

Send to Kindle

Australian Electoral Commission weighs in on online misinformation

Article

Australian House of Representatives ballot box - press picture courtesy of Australian Electoral Commission

Are you sure you are casting your vote or able to cast your vote without undue influence?

Australian Electoral Commission boots online blitz to counter fake news | ITNews

Previous coverage

Being cautious about fake news and misinformation in Australia

From the horse’s mouth

Australian Electoral Commission

Awareness Page

Press Release

My Comments

I regularly cover the issue of fake news and misinformation especially when this happens around election cycles. This is because it can be used as a way to effectively distort what makes up a democratically-elected government.

When the Victorian state government went to the polls last year, I ran an article about the issue of fake news and how we can defend ourselves against it during election time. This was because of Australia hosting a run of elections that are ripe for a concerted fake-news campaign – state elections for the two most-populous states in the country and a federal election.

It is being seen as of importance due to fact that the IT systems maintained by the Australian Parliament House and the main Australian political parties fell victim to a cyber attack close to February 2019 with this hack being attributed to a nation-state. This can lead to the discovered information being weaponised against the candidates or their political parties similar to the email attack against the Democrat party in the USA during early 2016 which skewed the US election towards Donald Trump and America towards a highly-divided nation.

The issue of fake news, misinformation and propaganda has been on our lips over the last few years due to us switching away from traditional news-media sources to social media and online search and news-aggregation sites. Similarly, the size of well-respected newsrooms is becoming smaller due to reduced circulation and ratings for newspapers and TV/radio stations driven by our use of online resources. This leads to poorer-quality news reporting that is a similar standard to entertainment-focused media like music radio.

A simplified low-cost no-questions-asked path has been facilitated by personal computing and the Internet to create and present material, some of which can be questionable. It is now augmented by the ability to create deepfake image and audio-visual content that uses still images, audio or video clips to represent a very convincing falsehood thanks to artificial-intelligence. Then this content can be easily promoted through popular social-media platforms or paid positioning in search engines.

Such content takes advantage of the border-free nature of the Internet to allow for an actor in one jurisdiction to target others in another jurisdiction without oversight of the various election-oversight or other authorities in either jurisdiction.

I mentioned what Silicon Valley’s online platforms are doing in relation to this problem such as restricting access to online advertising networks; interlinking with fact-check organisations to identify fake news; maintaining a strong feedback loop with end-users; and operating robust user-account-management and system-security policies, procedures and protocols. Extant newsrooms are even offering fact-check services to end-users, online services and election-oversight authorities to build up a defence against misinformation.

But the Australian Electoral Commission is taking action through a public-education campaign regarding fake news and misinformation during the Federal election. They outlined that their legal remit doesn’t cover the truthfulness of news content but it outlines whether the information comes from a reliable or recognised source, how current it is and whether it could be a scam. Of course there is the issue of cross-border jurisdictional issues especially where material comes in from overseas sources.

They outlined that their remit covers the “authorisation” or provenance of the electoral communications that appear through advertising platforms. As well, they underscore the role of other Australian government agencies like the Australian Competition and Consumer Commission who oversee advertising issues and the Australian Communications And Media Authority who oversee broadcast media. They also have provided links to the feedback and terms-and-conditions pages of the main online services in relationship to this issue.

These Federal agencies are also working on the issue of electoral integrity in the context of advertising and other communication to the voters by candidates, political parties or other entities; along with the “elephant in the room” that is foreign interference; and security of these polls including cyber-security.

But what I have outlined in the previous coverage is to look for information that qualifies the kind of story being published especially if you use a search engine or aggregated news view; to trust your “gut reaction” to the information being shared especially if it is out-of-touch with reality or is sensationalist or lurid; checking the facts against established media that you trust or other trusted resources; or even checking for facts “from the horse’s mouth” such as official press releases.

Inspecting the URL in your Web browser’s address bar before the first “/” to see if there is more that what is expected for a news source’s Web site can also pay dividends. But this can be a difficult task if you are using your smartphone or a similarly-difficult user interface.

I also even encourage making more use of established trusted news sources including their online presence as a primary news source during these critical times. Even the simple act of picking up and reading that newspaper or turning on the radio or telly can be a step towards authoritative news sources.

As well, I also encourage the use of the reporting functionality or feedback loop offered by social media platforms, search engines or other online services to draw attention to contravening content This was an action I took as a publisher regarding an ad that appeared on this site which had the kind of sensationalist headline that is associated with fake news.

The issue of online misinformation especially during general elections is still a valid concern. This is more so where the online space is not subject to the kinds of regulation associated with traditional media in one’s home country and it becomes easy for foreign operators to launch campaigns to target other countries. What needs to happen is a strong information-sharing protocol in order to place public and private stakeholders on alert about potential election manipulation.

Send to Kindle

Could a logical network be a data-security attribute?

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The local network created by one of these routers could be seen as a way to attest proximity or effective control of these devices

In data security, there has to be a way to attest that a user has effective control of their computing devices when they are authenticating with a device or service. Increasingly, most of us are handling two or more devices in this context such as to move data between them, use one of them as an authentication factor or to verify mutual trust between two or more people.

The logical network, also called a subnet, represents the devices connected to the same router irrespective of what media they use to connect to this network like Ethernet or Wi-Fi wireless. It is represented at Layer 3 (Network Layer) on the OSI network model stack and is represented by IP (Internet Protocol) whether version 4 or 6. Routers that implement guest or hotspot/community network functionality create a separate logical network for the guest or hotspot network.

But a hotspot network can be set up to cover a large public area like a bar or cafe’s dining room or even the whole of a hotel or apartment block. As well, if a hotspot network is properly set up for the end users’ data security, it shouldn’t be feasible to discover other devices on that same logical network. This is thanks to IP-based isolation functionality that the router that serves the hotspot offers.

Here, the existence of devices on the same logical network can be used as a way to attest proximity of these devices or to attest effective control over them.

Use cases

Enhanced two-factor authentication

Increasingly, most of us who implement two-factor authentication use an app on a smartphone to provide the random key number that confirms what we have along with what we know. But in a lot of situations, we have the smartphone and the computer we want to use to gain access to the resources existing on the same network. This may be our home or business network, a public-access hotspot or tethering our laptop to a smartphone for Internet access via the mobile network.

Having both devices on the same network could be seen as a way to assess the security level of a multifactor authentication setup by assessing the proximity of the devices to each other. It is more so if the devices are communicating to each other behind the same Wi-Fi access point or Ethernet switch. This concept would be to prove that both devices are effectively being controlled by the same user.

It can also work as an alternative to Bluetooth or NFC as a device-to-device link for a transcription-free multi-factor authentication setup if you are thinking of two devices that are able to connect to a network via Wi-Fi. This is more so where the issue of phishing of multi-factor authentication setups involving the transcription of a one-time passcode has been raised.

Discovery of devices in the same network

The same concept can also be examined in the context of interlinking between devices that exist on the same network or even determining one’s “home” domain in the context of AV content rights. In some ways, the concept could also be about tokenised login for online services where a user’s credentials are held on one device like a smartphone but a session-based token is passed to another device like a set-top box to facilitate login from that device.

It is a practice that has been used with UPnP and Bonjour technologies primarily for device and content discovery. The most obvious situation would be to use Apple AirPlay or Google Chromecast to throw content to the big screen from a compatible mobile device. It also works in the same context when you set up and use a network-based printer from your computer or smartphone.

Across-the-room discovery and mutual-user authentication

Another use case this concept can apply to is “across-the-room” device discovery and mutual-user authentication. This would be used for data transfer, social networks or online gaming where you intend to share a resource with someone you talked with, invite them as a friend / follower in a social network or engage them in an online game.

Proof of presence at a particular location

Use of a logical network’s attributes can be a tool for proving one’s presence at a particular location. This is more so where the Internet service for that network is being provided using a wired-broadband or fixed-wireless-broadband approach for its last-mile, like with most home and business networks. It may not work with “Mi-Fi” setups where a mobile broadband network is being implemented for the last-mile connection.

Here, it could be used for time-and-attendance purposes including “proof of presence” for home-based carers. Or it could be used to conditionally enable particular functionality like app-based on-premises food-and-beverage ordering at a venue. To the same extent, it could be used to protect delivery services against orders that were instigated at one location being sent to another location.

Methods

Both devices existing on the same network

In a premises-specific network like most small networks, testing that both devices are on the same subnet / logical network behind the same gateway device (router) could be a way to attest that both devices are in the same premises. The same test can be performed by the use of a “hop count” on Layer 3 of the OSI network-layer tree, which also determines the number of logical networks passed.

It is a method used with a wide range of network-based AV and printing applications to constrain the discovery and control of devices by controller software to what is local to you.

But assessing whether the two devices are connecting to the same access point on a Wi-Fi network can be used to attest whether both devices are in the same room in a large Wi-Fi setup. It may not work in a network setup where different devices connect to a network using different connection media like Ethernet, Wi-Fi Wireless or HomePlug powerline. This also includes situations where multiple access points cover the same room or floor such as with large rooms or open-plan areas.

Another approach that can be used for Wi-Fi hotspot networks honouring the Hotspot 2.0 / Passpoint setup would be to read the “venue” metadata for that network and compare whether both devices are in the same venue. If this technology is able to support subdividing of a logical venue such as based on floors or rooms, this could work as a way of further attesting whether both devices are in close proximity.

A Wi-Fi wireless network can be attested through the use of the BSSID which identifies the same access point that the devices are connecting through or the ESSID which is the network’s “call sign”. The BSSID could be used for a public hotspot network including a “hotzone” network ran by a local government or ISP,or a large network that uses many access points while the ESSID approach could be used simply for a small network with a few access points.

Trusted networks with authentication certificates

On the other hand, there could be the concept of creating “trusted networks” where authentication certificates relating to the network are stored in the network’s gateway device or in infrastructure devices associated with that network. It could be used to work against man-in-the-middle attacks as well as a stronger approach to attesting trust between the client device and the network it proposes to access.

The initial appeal for this concept could be to attest the authenticity of a business’s network especially in the face of business partners or customers who want to use that network as a gateway to the Internet or use the host business’s resources.

It could have some appeal to the food, beverage and hospitality industry where particular cafes and bars are often seen by individuals and workgroups as favoured hangouts. In this context, if an individual wants to use the Wi-Fi public-access network in their favourite “watering hole” or “second office”, the “trusted network” approach can be used to verify to the customer that they have connected to the venue’s network at the venue to avoid “man-in-the-middle” attacks.

This approach is being implemented with the Wi-Fi Passpoint / Hotspot 2.0 technology to provide for the simple yet secure public-access Wi-Fi network.

The same approach can be used with a home network if the router can store data like digital certificates in onboard non-volatile memory. Then this data could be created by the ISP as a “known trusted network” with a network-specific certificate relating to the router and network equipment. Such a service could be offered by an ISP as a value-added service especially to cater for “proof-of-presence” applications.

Conclusion

Using a logical network as a data-security attribute can be effective as a security tool for some use cases. With current network equipment, this can be a surefire way of assessing device proximity.to other devices. But use of certificates stored on network-infrastructure devices like routers and provided by ISPs or similar entities can be of use for authenticated-network or proof-of-presence applications.

Send to Kindle

Constance Hall puts trolling and bullying in the TV spotlight on Dancing With The Stars

Article

‘It hurts me so much’: Constance Hall targeted by trolls after reality TV announcement | Sydney Morning Herald

Dancing with the Stars: Constance Hall is ready to rumba! Here’s what you need to know about her | NowToLove.com

Video – Click or tap to play (Facebook page)

>

Previous Coverage on HomeNetworking01.info

Dealing with Internet trolls

Useful Resources

Crash Override Network – A resource centre based in the USA focused on online-abuse issues.

My Comments

Constance Hall, an online personality who has run a blog and is maintaining a Facebook public presence, is participating in the latest Dancing With The Stars season on Ten Network Australia. But because she had decided to star in this popular dancing talent-quest TV show, she got a lot of online abuse from various trolls. She often copped this abuse in her online presence due to how she looks, her outspokenness or her alternative lifestyle.

I have seen this happen with two of the contestants in MasterChef Australia season 10. One of them was accused of being close to George Calombaris because she had him taste a sample of something she was preparing before cooking it in quantity for the contest, while the other who was a nutritionist was turning out desserts which went against the grain of someone whose profession was about “clean eating”.

Even a few years ago, I observed a situation of online abuse directed at a cafe I was visiting because they wouldn’t accept the placement of a protest group’s campaign flyers near their till. It was while their neighbourhood was effectively being divided by the potential presence of a McDonalds fast-food restaurant with this protest group against the proposed development. I even defended that they had the right to defend their space but they even had to effectively shut down the commenting ability on their Facebook presence.

This kind of bullying has become very toxic with the Gamergate saga which was an attack on female game developers and female gaming journalists. This situation got to a point where there were death threats against one of the game developers along with the publication of her home address and phone number.

Typically this can be about a perverse innuendo about intimate relationships involving one or more of the victims; that the victim doesn’t “fit the mould” expected of them; or that they are “taking the wrong side” on an issue.

But Constance Hall produced a Facebook video addressing this kind of behaviour in the online space. Here, it was about stopping the acceptance and normalisation of online bullying and she had related it to what happens to children and teenagers. This video was even played as part of the introductory video package that preceded her dance routine in Dancing With The Stars. This meant that the issues being raised in the video had a good chance of being aired on prime-time traditional TV.

It is also part of her personal campaign to reach out to and encourage teenagers and other young people who are at risk of being bullied during their life’s journey especially in the online context.

A good practice to deal with trolling in an online environment would be to “insert” some common-sense in to the conversation. It may be best to approach it in a neutral form without appearing to take sides.

If it is getting out of control, most social-media platforms and some other online environments have the ability to “mute” participants or “hide” conversation threads so you don’t have them in your view. Social-media platforms also have the ability to block participants so they can’t follow you. As well, you may also have to report offensive behaviour to the online environment that it’s occurring in if it is becoming consistent.

If the online environment has the ability for users to upvote or downvote comments or threads, it can be used as a way to bury questionable comments. It is a feature that has appeared in some commenting platforms like Disqus or some online forum software, but is slowly being rolled out to major social media platforms like Facebook.

I applaud Constance Hall for how she has turned a negative experience around for something positive as well as underscoring a “you can do it” approach. This is more so for people who are or are likely to become an online personality who can easily fall victim to the ugly side of the Internet.

Send to Kindle

Computers that are secure by design are less likely to be bugs

Article

Dell XPS 13 8th Generation Ultrabook at QT Melbourne rooftop bar

Running modern always-updated operating systems and applications on your laptop is a way to keep your computing environment safe and secure.

Should you be scared of your laptop’s webcam? | ZDNet

Previous Coverage

Regular operating systems and their vulnerability to security threats

My Comments

An article appeared about whether one should be scared of their computer’s integrated Webcam and microphone. Here, a Webcam and microphone integrated in a computer or monitor or a USB Webcam that is always plugged in could turn the computer in to a surveillance device. But it highlighted the fact that recent versions of operating systems and productivity applications are “secure by design” when used to default settings.

It went through two different “what-if” hacking scenarios with different software combinations to see how hard they were to penetrate in order to “open up” the Webcam. The trigger point was to receive a “loaded” document with instructions that the user must follow, something that can be done through an email phishing attempt. Here, the document would have a macro that would install malware to open up the Webcam and stream its vision remotely.

The first scenario involves a Windows 10 computer running the latest version of Microsoft Word while the second scenario involved MacOS 10.14 Mojave and the latest version of LibreOffice. All operating systems and applications were run in the default protected mode but MacOS Mojave was temporarily configured to admit software from other sources in order to admit LibreOffice on to the Mac.

What was highlighted was the recent operating systems’ flagging or blocking of questionable software when the article’s author was asked to click on the required link within the document. The operating systems having their own basic endpoint-protection software underscored the ability to keep users safe from rogue software. Even productivity application software running documents supplied by email or from questionable sources in a protected mode to inhibit the execution of macros was also highlighted.

Creative Labs LiveCam Connect HD Webcam

Webcams, whether external like this one or integrated in a computing device, aren’t able to be bugs if you keep your computer software up-to-date with the latest patches and have it running “secure by default”.

This meant that neither the Webcam nor the microphone could not be accessed without the user knowing. It was demonstrating the recent “secure by design” approach of newer regular-computer environments that assured the average user of their data security. You may harden that attack surface by masking an integrated Webcam that is part of your computer or monitor, or disconnecting an external Webcam.

Unless you need to, keep your computer’s operating system, applications and endpoint-security utilities running in a “default-for-security” manner. This also includes updating them to the latest version, preferably with the software updating themselves.

If you are supporting other systems, don’t disable the computing environment’s security features unless you are sure they need to be disabled. Also educate the other users about data-security risks including the security warnings that will pop up on their computer.

If you are dealing with an old computer that is running a very old operating system and application software that doesn’t have the “secure by design” approach, you may have to cover or disconnect the Webcam. This is more so if it is found to be running the software “out of the box” without any patches or updates applied to it.

In most cases, the “secure-by-design” approach of most modern computing environments allows us to be able to use regular or mobile computer equipment in a secure manner.

Send to Kindle

Business-email compromise phishing now affects consumers

Article

House in Toorak

The sale of a property is an area where consumers can easily be caught up in a business-email compromise scam

Email crooks swindle woman out of $150K from home sale | Naked Security blog

An email scam has caused $200,000 in losses to real estate agents and home buyers in Victoria | Smart Company

My Comments

Ordinary householders can be at risk of a “business email compromise“ phish attempt in the same way as those in large business.

The business email compromise scam

This scam typically has the trickster research as much as they can about their victim and his or her employer or business partners. The victim that is usually targeted is someone who is likely to facilitate business-sensitive transactions or handles business-sensitive data like the payroll. They will find out whom they report to within the organisation such as the chief financial officer, or beyond the organisation like their accountant, lawyer or the tax department.

Then they place an urgent request to the victim to wire funds to a particular account as part of a wire fraud. Or they could be asked to reply to the email with organisationally-sensitive data like employee data typically presented as a “wages and tax-witholding” statement like a W2 (USA), P60 (UK and Ireland) or Group Certificate (Australia) to facilitate identity theft against the business’s staff.

How can ordinary people get caught up in these scams?

Apartment block in Elwood

as can having that rental apartment managed by someone else

But this kind of email scam can similarly happen with personal transactions, especially those that are high-stakes in nature, typically requiring the engagement of legal counsel. A key example of these transactions would be the sale of real-estate, businesses or investments.

Similarly, the probate settlement of a deceased estate or a property settlement after a divorce or separation could be at risk because these can involve a collection of items including high-value goods like real-estate or collectables. In that case, you are dealing with a real-estate transaction along with the valuation and sale of items.

It can also extend to transactions where you are delegating an agent to manage assets. Examples of these include trust funds typically for minor children, powers of attorney, or rental properties managed by a property manager or estate agent.

These transactions typically involve the frequent exchange of documents during the closure or settlement period where the transaction is in the process of being realised. They also involve dealing with different entities like conveyancers, law firms, estate agents and the like to facilitate the transactions. In addition, due to electronic transaction technologies like online document signing, there will be many emails between the parties that will have links to various resources like document repositories including document-signing platforms or results pages. They are also vulnerable towards the end of the settlement period where a last-minute change could be rushed in “under the radar”.

What can happen, for example, is that a fraudulent email could be used to “steer” the proceeds of a house sale away from the vendor’s account towards a fishy-sounding account.  Or funds due to an estate’s beneficiary could be steered away to an account not under the control of that person.

What can you do?

Compose Email or New Email form

Protect yourself against this scam by practising safe email habits

To protect yourself, make sure everything about the transaction is properly “cut and dried” as it evolves. This includes identifying and documenting sources, currencies and destinations of any funds along with procedures affecting the high-stakes transaction at the start of the transaction. Especially be careful of last-minute changes that crop up towards the end of the settlement.

Protect email accounts that are party to the transaction such as implementing security measures that the email service or client software would provide. With Webmail services,using multi-factor authentication may work as a secure measure, as will verifying that you log in to the service at its known proper address.

Carefully examine emails associated with the transaction to be sure they come from the proper email addresses. As far as links to online resources are concerned, make sure you know the proper domain name for these resources and that the links point to resources at that domain name. Attachments should also come through as proper representations of their filetype and you may have to use your endpoint security software to scan for document-laden malware.

Similarly, you may have to make sure Word documents or Excel spreadsheets are viewed in “Protected View” where macros cannot be run or the document can’t be edited. You would need to exit this mode if you are editing the document such as filling in a form or amending a spreadsheet, or printing it out.

In some cases, a regular personal computer running desktop applications and Web browsers may become a better device to use for verification than a mobile-platform device like a smartphone or tablet. This is because the desktop operating system and software tends to offer a more detailed user experience than their mobile equivalents.

If someone changes their email or other communications details, confirm these details through another communications means that you and them trust. You may have to use one of the prior or alternate communications details as a tool for confirmation if a significant number of details is changed such as through a change of employment.

You may have to double-check invoices, account numbers and the like directly with the other party especially if these details are changed. It is best to do this in person or on the phone using independently-verified phone numbers such as numbers you already have for them.

Avoid the use of untrusted networks like insecure public-access networks to do your sensitive business. Here, you may find that using a mobile-broadband connection and/or a VPN may work with this kind of business if you are away from home or office networks you can trust.

Be especially careful about creditors where the payment-destination account number, the payment method or currency changes during the course of your business. There may be a legitimate reasons such as a creditor changing banks or accounts for something that suits their needs better. But an impostor could be steering money that you owe them to an account under the control of the grifter who is impersonnating them.

If the high-stakes transaction has any international dimension about it, don’t be afraid to seek consular help regarding any aspect of that transaction. It may mean talking with your country’s foreign-affairs government department or the embassy or consulate associated with the foreign country. This is now important with people relocating overseas while maintaining assets like homes in their own or other countries, or goods being purchased via the Internet from foreign sellers.

For example, participants of a transaction conducted across international borders can use consular help to verify each others’ identities. Similarly, they can organise official translation of any official documents that are part of the transaction and are in a language that one of the parties doesn’t understand. Or you simply may need to confirm the legitimacy of that transaction in the foreign country including any steps you need to take.

Conclusion

We as consumers can become vulnerable to the business-email compromise scam when we are dealing with high-stakes transactions like real-estate purchases. To protect yourself, it’s about secure computing and email practices along with making sure everything in the transaction is “cut and dried” including verifying changes through another communications path you trust.

Send to Kindle

European Union’s data security actions come closer

Article

Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

The European Union will make steps towards a secure-by-design approach for hardware, software and services

EU Cybersecurity Act Agreed – “Traffic Light” Labelling Creeps Closer | Computer Business Review

Smarthome: EU führt Sicherheitszertifikate für vernetzte Geräte ein | Computer Bild (German Language / Deutschen Sprache)

From the horse’s mouth

European Commission

EU negotiators agree on strengthening Europe’s cybersecurity (Press Release)

My Comments

After the GDPR effort for data protection and end-user privacy with our online life, the European Union want to take further action regarding data security. But this time it is about achieving a “secure by design” approach for connected devices, software and online services.

This is driven by the recent Wannacry and NotPetya cyberattacks and is being achieved through the Cybersecurity Act which is being passed through the European Parliament. It follows after the German Federal Government’s effort to specify a design standard for routers that we use as the network-Internet “edge” for our home networks.

There will be a wider remit for EU Agency for Cybersecurity (ENSA) concerning cybersecurity issues that affect the European Union. But the key issue here is to have a European-Union-based framework for cybersecurity certification, which will affect online services and consumer devices with this certification valid through the EU. It is an internal-market legislation that affects the security of connected products including the Internet Of Things, as well as critical infrastructure and online services.

The certification framework will be about having the products being “secure-by-design” which is an analogy to a similar concept in building and urban design where there is a goal to harden a development or neighbourhood against crime as part of the design process. In the IT case, this involves using various logic processes and cyberdefences to make it harder to penetrate computer networks, endpoints and data.

It will also be about making it easier for people and businesses to choose equipment and services that are secure. The computer press were making an analogy to the “traffic-light” coding on food and drink packaging to encourage customers to choose healthier options.

-VP Andrus Ansip (Digital Single Market) – “In the digital environment, people as well as companies need to feel secure; it is the only way for them to take full advantage of Europe’s digital economy. Trust and security are fundamental for our Digital Single Market to work properly. This evening’s agreement on comprehensive certification for cybersecurity products and a stronger EU Cybersecurity Agency is another step on the path to its completion.”

What the European Union are doing could have implications beyond the European Economic Area. Here, the push for a “secure-by-design” approach could make things easier for people and organisations in and beyond that area to choose IT hardware, software and services satisfying these expectations thanks to reference standards or customer-facing indications that show compliance.

It will also raise the game towards higher data-security standards from hardware, software and services providers especially in the Internet-of-Things and network-infrastructure-device product classes.

Send to Kindle