Data security Archive

Safe computing practices in the coronavirus age

Coronavirus Covid-19

The coronavirus plague is having us at home, inside and online more….
(iStock by Getty Images)

The Covid-19 coronavirus plague is changing our habits more and more as we stay at home to avoid the virus or avoid spreading it onwards. Now we are strongly relying on our home networks and the Internet to perform our work, continue studying and connect with others in our social circles.

But this state of affairs is drawing out its own cyber-security risks, with computing devices being vulnerable to malware and the existence of hastily-written software being preferred of tasks like videoconferencing. Not to mention the risk of an increasing flow of fake news and disinformation about this disease.

What can we do?

General IT security

But we need to be extra vigilant about our data security and personal privacy

The general IT security measures are very important even in this coronavirus age. Here, you need to make sure that all the software on your computing devices, including their operating systems are up-to-date and have the latest patches. It also applies to your network, TV set-top and Internet-of-Things hardware where you need to make sure the firmware is up-to-date. The best way to achieve this is to have the devices automatically download and install the revised software themselves.

As well, managing the passwords for our online services and our devices properly prevents the risk of data and identity theft. It may even be a good idea to use a password vault program to manage our passwords which may prevent us from reusing them across services.  Similarly using a word processor to keep a list of your passwords which is saved on removeable media and printed out, with both the hard and electronic copy kept in a secure location may also work wonders here.

Make sure that your computer is running a desktop / endpoint security program, even if it is the one that is part of the operating system. Similarly, using an on-demand scanning tool like Malwarebytes can work as a way to check for questionable software. As well, you may have to check the software that is installed on all of the computing devices is what you are using and even verify with multiple knowledgeable people if that program that is the “talk of the town” should be on your computer.

If you are signing up with new online services, it may even be a better idea to implement social sign-on with established credential pools like Google, Facebook or Microsoft. These setups implement a token between the credential pool and the online service as the authentication factor rather than a separate username and password that you create.

As well, you will be using the Webcam more frequently on your computing devices. The security issue with the Webcam and microphone is more important with computing setups that have the Webcam integrated in the computer or monitor, like with portable computing devices, “all-in-one” computers or monitors equipped with Webcams.

Here, you need to be careful of which programs are having access to the Webcam and microphone on your device. Here, if newly-installed software asks for use of your camera or microphone and it is out of touch with the way the software works, deny access to the camera or microphone when it asks for their use.

If you install a health-department-supplied tracking app as part of your government’s contact-tracing and disease-management efforts, remember to remove this app as soon as the coronavirus crisis is over. Doing this will protect your privacy once there is no real need to manage the disease.

Email and messaging security

Your email and messaging platforms will become an increased security risk at this time thanks to phishing including business email compromise. I have covered this issue in a previous article after helping someone reclaim their email service account after a successful phishing attempt.

An email or message would be a phishing attempt if the email isn’t commensurate with proper business writing standards for your country, has a sense of urgency about it and is too good to be true. Once you receive these emails, it is prudent to report them then delete them forthwith.

In the case of email addresses from official organisations, make sure that the domain name represents the organisation’s proper domain name. This is something that is exactly like the domain name they would use for their Web presence, although email addresses may have the domain name part of the address following the “ @ “ symbol prepended with a server identifier like “mail” or “email”. As well, there should be nothing appended to the domain name.

Also, be familiar with particular domain-name structures for official organisation clusters like the civil / public service, international organisations and academia when you open email or surf the Web. These will typically use protected high-level domain name suffixes like “.gov”, “.int” or “.edu” and won’t use common domain name suffixes like “ .com “. This will help with identifying whether a site or a sender is the proper authority or not.

Messaging and video-conferencing

Increasingly as we stay home due to the risk of catching or spreading the coronavirus plague, we are relying on messaging and video-conferencing software more frequently to communicate with each other. For example, families and communities are using video-conferencing software like Zoom or Skype to make a virtual “get-together” with each other thanks to these platforms’ support for many-to-many videocalls.

But as we rely on this software more, we need to make sure that our privacy, business confidentiality and data security is protected. This is becoming more important as we engage with our doctors, whether they be general practitioners or specialists, “over the wire” and reveal our medical issues to them that way.

If you value privacy, look towards using an online communications platform that implements end-to-end encryption. Infact, most of the respected “over-the-top” communications platforms like WhatsApp, Viber, Skype and iMessage offer this feature for 1:1 conversations between users on the same platform. Some, like WhatsApp and Viber offer this same feature for group conversations between users on that same platform.

Video-conferencing software like Zoom and Skype

When you are hosting a video-conference using Zoom, Skype or similar platforms, be familiar with any meeting-setup and meeting-management features that the platform offers. If the platform uses a Weblink to join a video-conference that you can share, use email or a messaging platform to share that link with potential participants. Avoid posting this on the Social Web so you keep gatecrashers from your meeting or class.

As well, if the platform supports password-protected meeting entry, use this feature to limit who can join the meeting. Here, it is also a good idea to send the password as a separate message from the meeting’s Weblink.

Some platforms like Zoom offer a waiting-room function which requires potential participants to wait and be vetted by the conference’s moderator before they can participate. As well these platforms may have a meeting-lockout so no more people can participate in the video-conference. Here, you use this function when all the participants that you expect are present in the meeting.

You need to regulate the screen sharing feature that your platform offers which allows meeting participants to share currently-running app or desktop user interfaces. Here, you may have the ability to limit this function to the moderator’s computer or a specified participant’s computer. Here this will prevent people from showing offensive imagery or videos to all the meeting’s participants. As well, you may also need to regulate access to any file-sharing functionality that the platform offers in order to prevent the video conference becoming a vector for spreading malware or offensive material.

Fake news and disinformation

Just like with the elections that count, the coronavirus issue has brought about its fair share of fake news and disinformation.

Here, I would recommend that you use trusted news sources like the respected public-service broadcasters for information about this plague. As well, I would recommend that you visit respected health-information sites including those offered “from the horse’s mouth” by local, regional or national government agencies for the latest information.

As well, trust your “gut reaction” when it comes to material that is posted online about the coronavirus plague, including the availability of necessary food or medical supplies. Here, he careful of content that is “out of reality” or plays on your emotions. The same attitude should also apply when it comes to buying essential supplies online and you are concerned about the availability and price of these supplies.

Conclusion

As we spend more time indoors and online thanks to the coronavirus, we need to keep our computing equipment including our tablets and smartphones running securely to protect our data and our privacy.

Send to Kindle

Reverse image searching–a very useful tool for verifying the authenticity of content

Tineye reverse image search

Tineye – one of the most popular and useful reverse image search tools

Article

How To Do A Reverse Image Search From Your Phone | PCMag

My Comments and further information

Increasingly, most of us who regularly interact with the Internet will be encouraged to perform reverse-image searches.

This is where you use an image you supply or reference as a search term for the same or similar images on other Internet resources. It can also be about identifying a person or other object that is in the image.

Increasingly this is being used by people who engage in online dating to verify the authenticity of the person whom they “hit” on in an online-dating or social-media platform. It is due to romance scams where “catfishing” (pretending to be someone else in order to attract people of a particular kind) is part of the game. Here, part of the modus operandi is for the perpetrator to steal pictures of other people that match a particular look from photo-sharing or social-media sites and use these images in their profile.

It also is being used as a way to verify the authenticity of a product being offered for sale through an online second-hand-goods marketplace like eBay, Craigslist or Gumtree. It also extends to short-term house rentals including AirBnB where the potential tenant wants to verify the authenticity of the premises that is available to let.

As well, reverse image searching is being considered more relevant when it comes to checking the veracity of a news item that is posted online. This is very important in the era of fake news and disinformation where online images including doctored images are being used to corroborate questionable news articles.

How do you do a reverse image search?

At the moment, there are a few reverse-image-search engines that are available to use by the ordinary computer user. These include Tineye, Google Image Search, Bing Visual Search, Yandex’s image search function and Social Catfish’s reverse-image-search function.

Dell Inspiron 14 5000 2-in-1 at Rydges Melbourne (Locanda)

A regular computer like this Dell Inspiron 14 5000 2-in-1 makes it easier to do a reverse image search thanks to established operating system and browser code and its user interface.

The process of using these services involves you uploading the image to the service including using “copy-and-paste” techniques or passing the image’s URL to an address box in the search engine’s user interface. The latter method implies a “search-by-reference” method with the reverse-image-search site loading the image associated with that link into itself as its search term.

Using a regular desktop or laptop computer that runs the common desktop operating systems makes this job easier. This is because the browsers offered on these platforms implement tabs or allow multiple sessions so you can run the site in question in one tab or window and one or two reverse-image-search engines in other tabs or windows.

These operating systems also maintain well-developed file systems and copy-paste transfer algorithms that facilitate the transfer of URLs or image data to these reverse-image-search engines. That will also apply if you are dealing with a native app for that online service such as the client app offered by Facebook or LinkedIn for Windows. As well, Chrome and Firefox provide drag-and-drop support so you can drag the image from that Tinder or Facebook profile in one browser session to Tineye running in the other browser session.

But mobile users may find this process very daunting. Typically it requires the site to be opened and logged in to in Chrome or Safari then opened as a desktop version which is the equivalent of viewing it on a regular computer. For Chrome, you have to tap on the three-dot menu and select “Request Desktop Site”. For Safari, you have to tap the upward-facing arrow to show the “desktop view” option and select that option.

Then you open the image in a new tab and copy the image’s URL from the address bar. That is before you visit Google Image Search or Tineye to paste the URL in that app’s interface.

Google has built in to recent mobile versions of Chrome a shortcut to their reverse-image-search function. Here, you “dwell” on the image with your finger to expose a pop-up menu which has the “Search Google For This Image” option. The Bing app has the ability for you to upload images or screenshots for searching.

Share option in Google Chrome on Android

Share option in Google Chrome on Android

If you use an app like the Facebook, Instagram or Tinder mobile clients, you may have to take a screenshot of the image you want to search on. Recent iOS and Android versions also provide the ability to edit a screenshot before you save it thus cutting out the unnecessary user-interface stuff from what you want to submit. Then you open up Tineye or Google Image Search in your browser and upload the image to the reverse-image-search engine.

How can reverse image searching on the mobile platforms be improved

What can be done to facilitate reverse image searching on the mobile platforms is for reverse-image-search engines to create lightweight apps for each mobile platform. This app would make use of the mobile platform’s “Share” function for you to upload the image or its URL to the reverse-image-search engine as a search term. Then the app would show you the results of your search through a native interface or a view of the appropriate Web interface.

Share dialog on Android

A reverse-image-search tool like Tineye could be a share-to destination for mobile platforms like iOS or Android

Why have this app work as a “share to” destination? This is because most mobile-platform apps and Web browsers make use of the “share to” function as a way to take a local or online resource further. It doesn’t matter whether it is to send to someone else via a messaging platform including email; obtain a printout or, in some cases, stream it on the big screen via AirPlay or Chromecast.

The lightweight mobile app that works with a reverse-image-search engine answers the reality that most of us use smartphones or mobile-platform tablets for personal online activity. This is more so with social media, online dating and online news sources, thanks to the “personal” size of these devices.

Conclusion

What is becoming real is reverse image searching, whether of particular images or Webpages, is being seen as important for our security and privacy and for our society’s stability.

Send to Kindle

Germany to instigate the creation of a European public cloud service

Article

Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

Europe to have one or more public cloud services that respect European sovereignty and values

Germany to Unveil European Cloud to Rival Amazon, Alibaba | ITPro Today

France, Germany want more homegrown clouds to pick from | ITNews (Premium)

My Comments

Germany is instigating a European-wide project to create a public cloud-computing service.  As well, France is registering intent in this same idea but of creating another of these services.

Both countries’ intention is to rival what USA and Asia are offering regarding public-cloud data-processing solutions. But, as I have said before, it is about having public data infrastructure that is sovereign to European laws and values. This also includes the management and dissemination of such data in a broad and secure manner.

Freebox Delta press photo courtesy of Iliad (Free.fr)

… which could also facilitate European software and data services like what is offered through the Freebox Delta

The issue of data sovereignty has become of concern in Europe due to the USA and China pushing legislation to enable their governments to gain access to data held by data service providers that are based in those countries. This is even if the data is held on behalf of a third-party company or hosted on servers that are installed in other countries. The situation has been underscored by a variety of geopolitical tensions involving especially those countries such as the recent USA-China trade spat.

It is also driven by some European countries being dissatisfied with Silicon Valley’s dominance in the world of “as-a-service” computing. This is more so with France where there are goals to detach from and tax “GAFA” (Google, Apple, Facebook and Amazon) due to their inordinate influence in consumer and business computing worlds.

or BMW’s voice-driven assistant for in-car infotainment

Let’s not forget that Qarnot in France has designed computers that put their waste heat to use for heating rooms or creating hot water in buildings. This will appeal to a widely-distributed data-processing setup that could be part of public cloud-computing efforts.

Questions that will crop up with the Brexit agenda when Europe establishes this public cloud service will include British data sovereignty if data is held on the European public cloud or whether Britain will have any access or input into this public cloud.

Airbus A380 superjumbo jet wet-leased by HiFly at Paris Air Show press picture courtesy of Airbus

… just like this Airbus A380 superjumbo jet shows European prowess in aerospace

Personally I could see this as facilitating the wider creation of online services by European companies especially with the view to respecting European personal and business values. It could encompass ideas like voice-driven assistant services, search engines, mapping and similar services for consumers or to encourage European IT development.

Could this effort that Germany and France put forward be the Airbus or Arianespace of public-cloud data services?

Send to Kindle

Why do I consider a digital fax vault an important feature for multifunction printers?

HP LaserJet Pro CM1415fnw colour laser multifunction printer

HP LaserJet Pro CM1415fnw colour laser multifunction printer – an example of a fax-capable multifunction that implements flash memory and fax-vault functionality

Nearly every multifunction printer that is pitched towards small businesses and SOHO operations is equipped with basic Group 3 fax functionality at least. Most will have the high-speed Super Group 3 functionality while most multifunctions that print colour will support colour faxing.

This is a feature still considered of value by people who work in the legal, medical and allied professions because they see it as the preferred way to exchange documents “over the wire”, especially in the context of requiring other parties to sign and send the documents.

But inbound documents that arrive via these machines can be seen by people other than the intended recipients which is something that can betray the required confidentiality that most of these documents require. This is an important issue as far as client confidentiality and privacy are concerned when it comes to legal, medical or similar issues; but can also be of concern with the intellectual property that most organisations accrue such as customer / member lists or financial reports.

This can be of concern in traditional workplace environments like clinics where you have people like late-night workers or contract cleaners existing in the office beyond normal business hours. It can also be exacerbated for small-time professionals who share or sub-let office space or use serviced offices.

It can also extend to people who maintain a home office, something that is an increasing trend for small-time practitioners or people who maintain a small public storefront at other premises. In this case, even though the business operator’s household respects the business’s confidentiality requirements, there is the issue of houses being occupied by house-sitters, couch-surfers and the like who may not respect that level of confidentiality even though you trust them. It includes tradespeople who come in to your home to perform work that you require.

What is a “fax vault” and how could this feature answer these situations?

Brother MFC-J5730DW multifunction inkjet printer

Brother MFC-J5730CDW fax-equipped multifunction which can be set up to forward incoming faxes to Dropbox or OneDrive

A “fax vault” function stores all incoming fax documents to a digital storage medium of some sort rather than printing them out. Then the user enters a code and selects a “print stored faxes” function to print out the documents. Such setups could allow functions like printing out selected faxes such as those that relate to the work they are dealing with, or forwarding the documents to another fax machine like the one installed at a convenience store or newsagent to be collected there. Some machines also provide a “forward to email” function where they send the received fax document via email as a TIFF-FAX file or a PDF file.

Some of these setups may provide PIN-protected dial-in access to allow users to enable or disable this function or forward documents to a nominated fax machine from the nearest telephone like their home phone. The functionality could also be facilitated through a Web page or mobile-platform app for a granular operating experience.

The most basic form of this kind of storage is in RAM memory in the machine, but a power failure can have you lose all the documents you have received. Better implementations of this storage can be in the form of non-volatile storage like a hard disk or solid-state storage device including an SD card or flash memory installed in the machine, or the data is held on a network storage like a NAS.

For example, HP implemented integrated flash memory within the LaserJet Pro CM1415fnw that I reviewed. This was in lieu of using RAM which is vulnerable to power failure, also leading to that printer implementing a comprehensive “fax vault” function,

Brother have come close to this ideal by equipping some of their printers with “Fax Forward To Cloud” functionality provided as a machine app where documents can be held in a Dropbox or similar online-storage account. But this feature still requires the user to have documents printed out as they come in.

As I review a fax-capable multifunction printer, I applaud manufacturers who offer this function in the proper manner in their products especially if it is feasible not to print documents that are held on the storage. As well, I applaud manufacturers who implement non-volatile memory technology, preferably user-upgradeable technology or use of external, network or common cloud-based storage for incoming faxes.

The feature is important to prevent others from seeing confidential faxes which come in through the machine thus assuring client confidentiality and privacy along with intellectual-property protection for professionals.

How to achieve this better

The manufacturers could implement flash memory in their fax-capable MFCs to avoid risk of document loss during power failures.

This can be taken further with the ability for the user to install standard-form storage devices like SDXC cards, M.2 or 2.5” SATA storage devices within the machine to allow the user to install higher-capacity storage devices at a later time; or a USB port to allow the connection of USB Mass-Storage devices like memory keys or external hard disks. SD-based cards or M.2 SSD sticks can work well with the manufacturer’s desire to maintain a compact design for their desktop multifunction printer devices.

Similarly, simplified resource-discovery protocols for NAS devices could make these devices discoverable by equipment other than regular computers. This could be facilitated through a Samba (open-source SMB implementation) client on the multifunction that implements the SMB protocol most of the NAS units use.

To protect the data on the mon-volatile storage device against further snooping should the non-volatile media unit be stolen, the fax-enabled multifunction printer could implement encrypted storage or simply encrypt the files associated with fax operation. File-based encryption can also work with data stored on a NAS unit.

The large capacities offered by newer cost-effective storage media would cater to businesses in the legal profession who are having to deal with large legal documents as a matter of course, or doctors who receive graphically-rich documents like medical imaging.

It also encourages the use of the non-volatile storage medium in these machines for storing fax documents yet to be transmitted such as with scheduled faxing or attempting to transmit a document to a machine that is busy or not answering. The benefit also applies when your machine is busy printing large documents and wants to keep itself available for other incoming faxes.

For regular printing from a network, the non-volatile storage option can allow for enqueued printing where each job waits on the storage medium until it is printed out. This can also work well with secure print-job release where you enter a code that you predetermine to collect your job before the job is turned out. It can also allow manufacturers to implement remote printing, public-printing facilities and the like as part of a multifunction’s feature set.

Let’s not forget scanning, where an efficient workflow can be created. Here, a user could scan many originals at the machine then go to their computer or mobile device to take them further by “picking them up” from the machine’s storage. A multifunction with advanced abilities could even have the ability to, for example, recognise many small originals like snapshot photos, business cards or till receipts that are scanned at once and create separate files for each original.

Conclusion

Having a digital fax vault as part of a small-business or SOHO-grade fax-capable multifunction’s feature set can be of value to professionals who place high value on client confidentiality.

Send to Kindle

What will passwordless authentication be about?

Facebook login page

You soon may not need to remember those passwords to log in to the likes of Facebook

The traditional password that you use to authenticate with an online service is in the throes of losing this role.

This is coming about due to a lot of security risks associated with server-based passwords. One of these is for us to use the same password across many online services, leading towards credential reuse and “stuffing” attacks involving “known” username/password or email/password pairs. As well, the password is also subject to brute-force attacks including dictionary attacks where multiple passwords are tried against the same account. It also includes phishing and social-engineering attacks where end-users are tricked in to supplying their passwords to miscreants, something I had to rectify when an email account belonging to a friend of mine fell victim to phishing. This is facilitated by users creating passwords based on personal facts that work as aide-memoires. Passwords can also be stolen through the use of keyloggers or compromised network setups.

Managing multiple passwords can become a very user-unfriendly experience with people ending up using password-vault software or recording their passwords on a paper ore electronic document. As well, some applications can make password entry very difficult. Examples of these include connected-TV or games-console applications where you pick each character out using your remote control’s or game controller’s D-pad to enter the password.

You will be able to set your computer up to log you in to your online services with a PIN, fingerprint or other method

The new direction is to implement passwordless authentication where a client device or another device performs the authentication role itself and sends an encrypted token to the server. This token is then used to grant access to the account or facilitate the transaction.

It may be similar to multifactor authentication where you do something like enable a mobile authenticator app after you key in your online service’s password. But it also is very similar to how a single-sign-on or social-sign-on arrangement works with the emphasis on an authenticated-session token rather than your username and password as credentials.

The PIN will be authenticated locally nd used to enable the creation of a session token for your online service

There will be two key approaches which are centred around the exchange of an asymmetric key pair between the client and server devices.

The first of these will be the primary client device like your laptop computer or a smartphone that you are using the online service on. Or it can be a secondary client device like your smartphone that is holding the private key. You authenticate with that device using a device-local PIN or password or a biometric factor like your fingerprint or face.

Android security menu

The same holds true for your Android or other smartphone

The second will involve the use of a hardware token like a FIDO2-compliant USB or Bluetooth access key or an NFC-compliant smart card. Here, you activate this key to pass on the credentials including the private key to the client computer for your online session.

It is being facilitated through the use of FIDO2, WebAuthN and CTAP standards that allow compliant Web browsers and online services to implement advanced authentication methods. At the moment, Windows 10 is facilitating this kind of login through the use of the Windows Hello user-authentication functionality, but Android is in the process of implementing it in the mobile context.

There is effectively the use of a form of multifactor authentication to enable the cryptographic key pair between the client and server devices. This is based around the device you are using and the fact you are there to log in.

HP Elitebook 2560p business notebook fingerprint reader

The fingerprint reader on this HP Elitebook and similar laptops will become more important here

If the authentication is to take place on the primary client device like a laptop or smartphone, the device’s secure element like a TPM module in a laptop or the SIM card in a smartphone would be involved in creating the private key. The user would enter the device-local PIN or use the fingerprint reader to enable this key which creates the necessary session token peculiar to that device.

On the other hand, if it is to take place on a secondary device like a smartphone, the authentication and session-token generation occurs on that device. This is typically with the user notified to continue the authentication on the secondary device, which continues the workflow on its user interface. Typically this will use a Bluetooth link with the primary device or a synchronous Internet link with the online service.

The online service has no knowledge of these device-local authentication factors, which makes them less likely to be compromised. For most users, this could be the same PIN or biometric factor used to unlock the device when they switch it on and they could use the same PIN across multiple devices like their smartphone or laptop. But the physical device in combination with the PIN, fingerprint or facial recognition of that user would be both the factors required to enable that device’s keypair and create the session token to validate the session.

A hardware token can be in the form of a USB or Bluetooth security key or a NFC smart card. But this device manages the authentication routines and has private keys kept in its secure storage.

There will be the emphasis around multiple trusted devices for each service account as well as the same trusted device supporting multiple services. Some devices like hardware tokens will have the ability to be “roaming” devices in order to do things like enabling a new device to have access to your online services or allow ad-hoc use of your services on shared equipment such as the public-use computers installed at your local library. They will also work as a complementary path of verification if your client device such as a desktop PC doesn’t have all the authentication functionality.

Similarly, when you create a new account with an online service, you will be given the option to “bind” your account with your computer or smartphone. Those of us who run online services that implement legacy-based sign-in but are enabled for passwordless operation will have the option in the account-management dashboard to bind the account with whatever we use to authenticate it with and have it as a “preferred” authentication path.

Some of the passwordless authentication setups will allow use with older operating systems and browsers not supporting the new authentication standards by using time-limited or one-use passwords created by the authentication setup.

Questions that will arise regarding the new passwordless Web direction is how email and similar client-server setups that implement native clients will authenticate their sessions. Here, they may have to evolve towards having the various protocols that they work with move towards key-pair-driven session tokens associated with the particular service accounts and client devices.

There will also be the issue of implementing this technology in to dedicated-purpose devices, whether as a server or client device. Here, it is about securing access to the management dashboards that these devices offer, which has become a strong security issue thanks to attacks on routers and similar devices.

IT WILL TAKE TIME TO EVOLVE TO PASSWORDLESS

Send to Kindle

It will be easy to use your voice to delete what you previously said to Alexa

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

You will be able to use your voice to delete instructions you said to your Amazon Echo

Articles

How to See and Delete Alexa’s Recordings of You | Tom’s Guide

You Can Now Tell Alexa To Delete Your Conversations | Lifehacker

My Comments

An issue that anyone with a voice-driven home assistant device will be wanting to have control of is what the device’s platform has recorded when they spoke to that device. It also includes the risk of your device being accidentally triggered by situations such as an utterance of the wake word in a recording or broadcast. A previous article that I have written describes how to achieve this kind of control with your Amazon Echo or similar Alexa-based device.

But Amazon have taken this further for the Alexa platform by allowing you to speak to your Alexa-based device to delete recordings left on the platform during particular time ranges.

How to enable this function

You have to use the Amazon Alexa app or Website to enable this feature but you don’t have to install another Alexa Skill in to your account for this purpose. Once you are logged in to your Amazon Alexa app or Website, enter the Settings section which would be brought up under a hamburger-shape “advanced-operations” menu.

Then you go to your “Alexa Account” option in that section and bring up the “Alexa Privacy” menu. Go to the “Review Voice History” screen and you will see the  “Enable Deletion By Voice” option that you can toggle on or off. Having this feature on will allow you to use the voice commands that will be listed below. When you enable it, you will see a warning that anyone with access to your Alexa-based devices will be able to delete what was said to the Alexa ecosystem.

Commands

“Alexa, delete everything I said today” will cause your Alexa-based device to delete anything you said to it from midnight (0:00) of the current day to the time you gave that instruction.

For greater control, Amazon will roll out this other command: “Amazon, delete what I just said”. This will delete what was last said to your Alexa device and can be of use when handling a nuisance-trigger situation for example.

Conclusion

I would see the other voice-driven assistant platforms provide the ability to delete what you said under your voice control as a user-enabled option. This will be more so as the light shines brightly on what the Silicon Valley establishment are up to with end-user data privacy amongst other issues like corporate governance.

Send to Kindle

The UK to mandate security standards for home network routers and smart devices

Articles UK Flag

UK mulls security warnings for smart home devices | Engadget

New UK Laws to Make Broadband Routers and IoT Kit More Secure | ISP Review

From the horse’s mouth

UK Government – Department of Digital, Culture, Media and Sport

Plans announced to introduce new laws for internet connected devices (Press Release}

My Comments

A common issue that is being continually raised through the IT security circles is the lack of security associated with network-infrastructure devices and dedicated-function devices. This is more so with devices that are targeted at households or small businesses.

Typical issues include use of simple default user credentials which are rarely changed by the end-user once the device is commissioned and the ability to slip malware on to this class of device. This led to situations like the Mirai botnet used for distributed denial-of-service attacks along with a recent Russia-sponsored malware attack involving home-network routers.

Various government bodies aren’t letting industry handle this issue themselves and are using secondary legislation or mandated standards to enforce the availability of devices that are “secure by design”. This is in addition to technology standards bodies like Z-Wave who stand behind logo-driven standards using their clout to enforce a secure-by-design approach.

Netgear DG834G ADSL2 wireless router

Home-network routers will soon be required to have a cybersecurity-compliance label to be sold in the UK

The German federal government took a step towards having home-network routers “secure by design”. This is by having the BSI who are the country’s federal office for information security determine the TR-03148 secure-design standard for this class of device.  This addresses minimum standards for Wi-Fi network segments, the device management account and user experience, along with software quality control for the device’s firmware.

Similarly, the European Union have started on the legal framework for a “secure-by-design” certification approach, perhaps with what the press describe as an analogy to the “traffic-light” labelling on food and drink packaging to indicate nutritional value. It is based on their GDPR data-security and user-privacy efforts and both the German and European efforts are underscoring the European concern about data security and user privacy thanks to the existence of police states within Europe through the 20th century.

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

… as will smart-home devices like the Amazon Echo

But the UK government have taken their own steps towards mandating home-network devices be designed for security. It will use their consumer-protection and trading-standards laws to have a security-rating label on these devices, with a long-term view of making these labels mandatory. It is in a similar vein to various product-labelling requirements for other consumer goods to denote factors like energy or water consumption or functionality abilities.

Here, the device will be have requirements like proper credential management for user and management credentials; proper software quality and integrity control including update and end-of-support policies; simplified setup and maintenance procedures; and the ability to remove personal data from the device or reset it to a known state such as when the customer relinquishes the device.

Other countries may use their trading-standards laws in this same vein to enforce a secure-by-design approach for dedicated-function devices sold to consumers and small businesses. It may also be part of various data-security and user-privacy remits that various jurisdictions will be pursuing.

The emphasis on having proper software quality and integrity requirements as part of a secure-by-design approach for modem routers, smart TVs and “smart-home” devices is something I value. This is due to the fact that a bug in the device’s firmware could make it vulnerable to a security exploit. As well, it will also encourage the ability to have these devices work with highly-optimised firmware and implement newer requirements effectively.

At least more countries are taking a step towards proper cybersecurity requirements for devices sold to households and small businesses by using labels and trading-standards requirements for this purpose.

Send to Kindle

Dell issues a security advisory regarding its SupportAssist software

Article

Dell XPS 13 2-in-1 Ultrabook at Rydges Melbourne

Check that the SupportAssist software on your Dell computer like this XPS 13 2-in-1 is up-to-date to keep a secure computing environment

Dell Computers Exposed to RCE Attacks by SupportAssist Flaws | BleepingComputer

From the horse’s mouth

Dell

DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities (Support Notice)

Official Resources

Dell software download site

https://downloads.dell.com/serviceability/Catalog/SupportAssistInstaller.exe (Official software installer)

My Comments

A version of Dell’s SupportAssist computer-maintenance software that is currently installed on most recent-issue Dell desktop and laptop computers, including some of the Dell laptops reviewed on this site, has been found to have a bug that is a security issue. This bug will affect versions of this software prior to 3.2.0.90 .

Here, the bug exposes the SupportAssist software to a vulnerability that allows malicious code to be executed remotely. At the moment, it appears to happen on the same logical network, which can be a vulnerability for users using public-access networks that aren’t properly configured for client isolation.

It was discovered by a teenage software researcher called Bill Demirkapi, but other flaws regarding verification of software provenance were found in the prior versions of this software by another software researcher called John C. Hennessy-ReCar. Here, Dell practised responsible disclosure in reporting the SupportAssist software vulnerability and made sure there were newer properly-patched versions of this software.

A newer version (3.2.0.90) of this software has been released and made available to download from Dell’s servers. I have placed the link to the installer package and Dell’s software download site so you can make sure your computer is up-to-date. The software download site also has a “Detect PC” button to allow the site to properly identify the Dell computer it is being used from incase you find it difficult to properly identify the exact model yourself. You may also find that the existing SupportAssist software may update itself or suggest an update when it checks Dell’s servers for new software versions.

As well, copy the SupportAssist installer application referenced here to a USB memory key or portable hard disk because your system may keep the prior version of this application in its recovery partition and you would be running that version should you have to restore your computer from that partition.

A good practice that I would like to see regarding “recovery partitions” on today’s computers is to have a user-selectable option to “slipstream” or update these partitions with newer software versions. This can be of importance with major or minor revisions to the operating system or updated application, driver and support software.

It may be a good practice when you buy a prebuilt computer to visit its manufacturer’s support resources regularly to check for new software updates for hardware drivers or support software. You may also be alerted to any issues that you might come across with this system. As well, registering your system with the manufacturer may be of value when it comes to being alerted to software or hardware issues.

Send to Kindle

Australian Electoral Commission weighs in on online misinformation

Article

Australian House of Representatives ballot box - press picture courtesy of Australian Electoral Commission

Are you sure you are casting your vote or able to cast your vote without undue influence?

Australian Electoral Commission boots online blitz to counter fake news | ITNews

Previous coverage

Being cautious about fake news and misinformation in Australia

From the horse’s mouth

Australian Electoral Commission

Awareness Page

Press Release

My Comments

I regularly cover the issue of fake news and misinformation especially when this happens around election cycles. This is because it can be used as a way to effectively distort what makes up a democratically-elected government.

When the Victorian state government went to the polls last year, I ran an article about the issue of fake news and how we can defend ourselves against it during election time. This was because of Australia hosting a run of elections that are ripe for a concerted fake-news campaign – state elections for the two most-populous states in the country and a federal election.

It is being seen as of importance due to fact that the IT systems maintained by the Australian Parliament House and the main Australian political parties fell victim to a cyber attack close to February 2019 with this hack being attributed to a nation-state. This can lead to the discovered information being weaponised against the candidates or their political parties similar to the email attack against the Democrat party in the USA during early 2016 which skewed the US election towards Donald Trump and America towards a highly-divided nation.

The issue of fake news, misinformation and propaganda has been on our lips over the last few years due to us switching away from traditional news-media sources to social media and online search and news-aggregation sites. Similarly, the size of well-respected newsrooms is becoming smaller due to reduced circulation and ratings for newspapers and TV/radio stations driven by our use of online resources. This leads to poorer-quality news reporting that is a similar standard to entertainment-focused media like music radio.

A simplified low-cost no-questions-asked path has been facilitated by personal computing and the Internet to create and present material, some of which can be questionable. It is now augmented by the ability to create deepfake image and audio-visual content that uses still images, audio or video clips to represent a very convincing falsehood thanks to artificial-intelligence. Then this content can be easily promoted through popular social-media platforms or paid positioning in search engines.

Such content takes advantage of the border-free nature of the Internet to allow for an actor in one jurisdiction to target others in another jurisdiction without oversight of the various election-oversight or other authorities in either jurisdiction.

I mentioned what Silicon Valley’s online platforms are doing in relation to this problem such as restricting access to online advertising networks; interlinking with fact-check organisations to identify fake news; maintaining a strong feedback loop with end-users; and operating robust user-account-management and system-security policies, procedures and protocols. Extant newsrooms are even offering fact-check services to end-users, online services and election-oversight authorities to build up a defence against misinformation.

But the Australian Electoral Commission is taking action through a public-education campaign regarding fake news and misinformation during the Federal election. They outlined that their legal remit doesn’t cover the truthfulness of news content but it outlines whether the information comes from a reliable or recognised source, how current it is and whether it could be a scam. Of course there is the issue of cross-border jurisdictional issues especially where material comes in from overseas sources.

They outlined that their remit covers the “authorisation” or provenance of the electoral communications that appear through advertising platforms. As well, they underscore the role of other Australian government agencies like the Australian Competition and Consumer Commission who oversee advertising issues and the Australian Communications And Media Authority who oversee broadcast media. They also have provided links to the feedback and terms-and-conditions pages of the main online services in relationship to this issue.

These Federal agencies are also working on the issue of electoral integrity in the context of advertising and other communication to the voters by candidates, political parties or other entities; along with the “elephant in the room” that is foreign interference; and security of these polls including cyber-security.

But what I have outlined in the previous coverage is to look for information that qualifies the kind of story being published especially if you use a search engine or aggregated news view; to trust your “gut reaction” to the information being shared especially if it is out-of-touch with reality or is sensationalist or lurid; checking the facts against established media that you trust or other trusted resources; or even checking for facts “from the horse’s mouth” such as official press releases.

Inspecting the URL in your Web browser’s address bar before the first “/” to see if there is more that what is expected for a news source’s Web site can also pay dividends. But this can be a difficult task if you are using your smartphone or a similarly-difficult user interface.

I also even encourage making more use of established trusted news sources including their online presence as a primary news source during these critical times. Even the simple act of picking up and reading that newspaper or turning on the radio or telly can be a step towards authoritative news sources.

As well, I also encourage the use of the reporting functionality or feedback loop offered by social media platforms, search engines or other online services to draw attention to contravening content This was an action I took as a publisher regarding an ad that appeared on this site which had the kind of sensationalist headline that is associated with fake news.

The issue of online misinformation especially during general elections is still a valid concern. This is more so where the online space is not subject to the kinds of regulation associated with traditional media in one’s home country and it becomes easy for foreign operators to launch campaigns to target other countries. What needs to happen is a strong information-sharing protocol in order to place public and private stakeholders on alert about potential election manipulation.

Send to Kindle

Could a logical network be a data-security attribute?

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The local network created by one of these routers could be seen as a way to attest proximity or effective control of these devices

In data security, there has to be a way to attest that a user has effective control of their computing devices when they are authenticating with a device or service. Increasingly, most of us are handling two or more devices in this context such as to move data between them, use one of them as an authentication factor or to verify mutual trust between two or more people.

The logical network, also called a subnet, represents the devices connected to the same router irrespective of what media they use to connect to this network like Ethernet or Wi-Fi wireless. It is represented at Layer 3 (Network Layer) on the OSI network model stack and is represented by IP (Internet Protocol) whether version 4 or 6. Routers that implement guest or hotspot/community network functionality create a separate logical network for the guest or hotspot network.

But a hotspot network can be set up to cover a large public area like a bar or cafe’s dining room or even the whole of a hotel or apartment block. As well, if a hotspot network is properly set up for the end users’ data security, it shouldn’t be feasible to discover other devices on that same logical network. This is thanks to IP-based isolation functionality that the router that serves the hotspot offers.

Here, the existence of devices on the same logical network can be used as a way to attest proximity of these devices or to attest effective control over them.

Use cases

Enhanced two-factor authentication

Increasingly, most of us who implement two-factor authentication use an app on a smartphone to provide the random key number that confirms what we have along with what we know. But in a lot of situations, we have the smartphone and the computer we want to use to gain access to the resources existing on the same network. This may be our home or business network, a public-access hotspot or tethering our laptop to a smartphone for Internet access via the mobile network.

Having both devices on the same network could be seen as a way to assess the security level of a multifactor authentication setup by assessing the proximity of the devices to each other. It is more so if the devices are communicating to each other behind the same Wi-Fi access point or Ethernet switch. This concept would be to prove that both devices are effectively being controlled by the same user.

It can also work as an alternative to Bluetooth or NFC as a device-to-device link for a transcription-free multi-factor authentication setup if you are thinking of two devices that are able to connect to a network via Wi-Fi. This is more so where the issue of phishing of multi-factor authentication setups involving the transcription of a one-time passcode has been raised.

Discovery of devices in the same network

The same concept can also be examined in the context of interlinking between devices that exist on the same network or even determining one’s “home” domain in the context of AV content rights. In some ways, the concept could also be about tokenised login for online services where a user’s credentials are held on one device like a smartphone but a session-based token is passed to another device like a set-top box to facilitate login from that device.

It is a practice that has been used with UPnP and Bonjour technologies primarily for device and content discovery. The most obvious situation would be to use Apple AirPlay or Google Chromecast to throw content to the big screen from a compatible mobile device. It also works in the same context when you set up and use a network-based printer from your computer or smartphone.

Across-the-room discovery and mutual-user authentication

Another use case this concept can apply to is “across-the-room” device discovery and mutual-user authentication. This would be used for data transfer, social networks or online gaming where you intend to share a resource with someone you talked with, invite them as a friend / follower in a social network or engage them in an online game.

Proof of presence at a particular location

Use of a logical network’s attributes can be a tool for proving one’s presence at a particular location. This is more so where the Internet service for that network is being provided using a wired-broadband or fixed-wireless-broadband approach for its last-mile, like with most home and business networks. It may not work with “Mi-Fi” setups where a mobile broadband network is being implemented for the last-mile connection.

Here, it could be used for time-and-attendance purposes including “proof of presence” for home-based carers. Or it could be used to conditionally enable particular functionality like app-based on-premises food-and-beverage ordering at a venue. To the same extent, it could be used to protect delivery services against orders that were instigated at one location being sent to another location.

Methods

Both devices existing on the same network

In a premises-specific network like most small networks, testing that both devices are on the same subnet / logical network behind the same gateway device (router) could be a way to attest that both devices are in the same premises. The same test can be performed by the use of a “hop count” on Layer 3 of the OSI network-layer tree, which also determines the number of logical networks passed.

It is a method used with a wide range of network-based AV and printing applications to constrain the discovery and control of devices by controller software to what is local to you.

But assessing whether the two devices are connecting to the same access point on a Wi-Fi network can be used to attest whether both devices are in the same room in a large Wi-Fi setup. It may not work in a network setup where different devices connect to a network using different connection media like Ethernet, Wi-Fi Wireless or HomePlug powerline. This also includes situations where multiple access points cover the same room or floor such as with large rooms or open-plan areas.

Another approach that can be used for Wi-Fi hotspot networks honouring the Hotspot 2.0 / Passpoint setup would be to read the “venue” metadata for that network and compare whether both devices are in the same venue. If this technology is able to support subdividing of a logical venue such as based on floors or rooms, this could work as a way of further attesting whether both devices are in close proximity.

A Wi-Fi wireless network can be attested through the use of the BSSID which identifies the same access point that the devices are connecting through or the ESSID which is the network’s “call sign”. The BSSID could be used for a public hotspot network including a “hotzone” network ran by a local government or ISP,or a large network that uses many access points while the ESSID approach could be used simply for a small network with a few access points.

Trusted networks with authentication certificates

On the other hand, there could be the concept of creating “trusted networks” where authentication certificates relating to the network are stored in the network’s gateway device or in infrastructure devices associated with that network. It could be used to work against man-in-the-middle attacks as well as a stronger approach to attesting trust between the client device and the network it proposes to access.

The initial appeal for this concept could be to attest the authenticity of a business’s network especially in the face of business partners or customers who want to use that network as a gateway to the Internet or use the host business’s resources.

It could have some appeal to the food, beverage and hospitality industry where particular cafes and bars are often seen by individuals and workgroups as favoured hangouts. In this context, if an individual wants to use the Wi-Fi public-access network in their favourite “watering hole” or “second office”, the “trusted network” approach can be used to verify to the customer that they have connected to the venue’s network at the venue to avoid “man-in-the-middle” attacks.

This approach is being implemented with the Wi-Fi Passpoint / Hotspot 2.0 technology to provide for the simple yet secure public-access Wi-Fi network.

The same approach can be used with a home network if the router can store data like digital certificates in onboard non-volatile memory. Then this data could be created by the ISP as a “known trusted network” with a network-specific certificate relating to the router and network equipment. Such a service could be offered by an ISP as a value-added service especially to cater for “proof-of-presence” applications.

Conclusion

Using a logical network as a data-security attribute can be effective as a security tool for some use cases. With current network equipment, this can be a surefire way of assessing device proximity.to other devices. But use of certificates stored on network-infrastructure devices like routers and provided by ISPs or similar entities can be of use for authenticated-network or proof-of-presence applications.

Send to Kindle