Data security Archive

Qualcomm to authenticate photos taken on your phone

Article

Android main interactive lock screen

Qualcomm will work towards authenticating photos taken by smartphones or other devices using its ARM silicon at the point of capture

One of the strongest ways to fight misinformation will soon be right in your phone | FastCompany

My Comments

The rise of deepfaked and doctored imagery surfacing on the Web and being used to corroborate lies has started an arms race to  verify the authenticity of audio and visual asset

It was encouraged by the Trusted News Initiative which is a group of leading newsrooms who want to set standards regarding the authenticity of news imagery and introduce watermarks for this purpose.

TruePic, an image authentication service, are partnering with Qualcomm to develop hardware-based authentication of images as they are being taken. Qualcomm has become the first manufacturer of choice because of themselves being involved with ARM-based silicon for most Android smartphones and the Windows 10 ARM platform.

This will use actual time and date, data gained from various device sensors and the image itself as it is taken to attach a certificate of authenticity to that image or video footage. This will be used to guarantee the authenticity of the photos or vision before they leave the user’s phone.

TruePic primarily implements this technology in industries like banking, insurance, warranty provision and law enforcement to work against fraudulent images being used to corroborate claims or to where imagery has to be of high forensic standards. But at the moment, Truepic implements this technology as an additional app that users have to install.

The partnership with Qualcomm is to integrate the functionality in to the smartphone’s camera firmware so that the software becomes more tamper-evident and this kind of authentication applies to all images captured by that sensor at the user’s discretion.

The fact that TruePic is partnering with Qualcomm at the moment is because most of the amateur photos are being taken with smartphones which use this kind of silicon. Once they have worked with Qualcomm, other camera chipmakers including Apple would need to collaborate with them to build in authenticated image technology in to their camera technology.

It can then appeal to implementation within standalone camera devices like traditional digital cameras, videosurveillance equipment, dashcams and the like. For example, it can be easier to verify media footage shot on pro gear as being authentic or to have videosurveillance footage being offered as evidence verified as being forensically accurate. But in these cases, there may be calls for the devices to be able to have access to highly-accurate time and location references for this to work.

The watermark generated by this technology will be intended to be machine-readable and packaged with the image file. This will make it easier for software to show whether the image is authentic or not and such software could be part of the Trusted News Initiative to authenticate amateur, stringer or other imagery or footage that comes in to a newsroom’s workflow. Or it could be used by eBay, Facebook or Tinder to indicate whether images or vision are a genuine representation of the goods for sale or the p

But this technology needs to also apply to images captured by dedicated digital cameras like this Canon PowerShot G1 X

rofile holder.

The idea of providing this function would be to offer it as an opt-in manner, typically as a shooting “mode” within a camera application. This allows the photographer to preserve their privacy. But the use of authenticated photos won’t allow users to digitally adjust their original photos to make them look better. This same situation may also apply to the use of digital zoom which effectively crops photos and videos at the time they are taken.

There is the idea of implementing distributed-ledger technology to track edits made to a photo. This can be used to track at what point the photo was edited and what kind of editing work took place. This kind of ledger technology could also apply to copies of that photo, which will be of importance where people save a copy of the image when they save any edits. This will also apply where a derivative work is created from the source file like a still image or a short clip is obtained from a longer file of existing footage.

A question that will then come about is how the time of day is recorded in these certificates, including the currently-effective time zone and whether the time is obtained from a highly-accurate reference. Such factors may put in to doubt the forensic accuracy of these certificates as far as when the photo or footage was actually taken.

For most of us, it could come in to its own when combatting deepfake and doctored images used to destabilise society. Those of us who use online dating or social-network platforms may use this to verify the authenticity of a person who is on that platform, thus working against catfishing. Similarly, the use of image authentication at the point of capture may come in to its own when we supply images or video to the media or to corroborate transactions.

Send to Kindle

Zoom to introduce end-to-end encryption

Articles

Zoom (MacOS) multi-party video conference screenshot

Zoom to provide end-to-end encryption for those video conferences

Zoom end-to-end encryption is finally rolling out next week | Android Authority

Zoom to preview free end-to-end encryption for meetings | ITNews

Zoom Is Adding End-To-End Encryption to Your Endless Meetings | Gizmodo

Zoom finally rolls out end-to-end encryption, but you have to enable it | Mashable

From the horse’s mouth

Zoom

Zoom Rolling Out End-to-End Encryption Offering (Blog Post)

My Comments

Since the COVID-19 coronavirus plague had us housebound even for work or school, we have ended up using videoconferencing platforms more frequently for work, school and social life. The most popular of these platforms ended up being Zoom which effectively became a generic trademark for multiparty videoconferencing.

But the computer press and consumer-privacy regulators identified that most of these videoconferencing platforms had security and user-privacy / company-confidentiality weaknesses. One of these that has beset Zoom was the lack of end-to-end encryption for multiparty videocalls. This ended up being a key issue due to most of us ending using these platforms more frequently and the increased use of Zoom and similar platforms for medical and legal telexonsultations.

Now Zoom, as part of its recent Zoomtopia feature-launch multiparty videoconference, has launched a number of new features for their platform. These include virtual participant layouts similar to what Microsoft Teams is offering.

But the important one here is to facilitate end-to-end encryption during multiparty videoconferences. This will be available across all of Zoom’s user base, whether free or paid. For the first 30 days from next week, it will be a technical preview so they can know of any bugs in the system.

The end-to-end encryption is based around the meeting host rather than Zoom generating the keypairs for the encryption protocol, which would occur as a videoconference is started and as users come on board. It is a feature that Zoom end-users would need to enable at account level and also activate for each meeting they wish to keep secure. That is different from WhatsApp where end-to-end encryption occurs by default and in a hands-off manner.

At the moment, updated native Zoom clients will support the end-to-end encryption – you won’t have support for it on Zoom Web experiences. If a meeting is operating with end-to-end encryption, there will be a green shield with a lock symbol in the upper left corner to indicate that this is the case. They can click on the icon to bring up a verification code and have that confirmed by the meeting host reading it out loud.

Free users will be required to use SMS-based verification when they set up their account for end-to-end encryption. This is a similar user experience to what a lot of online services are doing where there is a mobile phone number as a second factor of authenticity.

At least Zoom is taking steps towards making its multiparty videoconference platform more safe and secure for everyone.

Send to Kindle

Gizmodo examines the weaponisation of a Twitter hashtag

Article

How The #DanLiedPeopleDied Hashtag Reveals Australia’s ‘Information Disorder’ Problem | Gizmodo

My Comments

I read in Gizmodo how an incendiary hashtag directed against Daniel Andrews, the State Premier of Victoria in Australia, was pushed around the Twittersphere and am raising this as an article. It is part of keeping HomeNetworking01.info readers aware about disinformation tactics as we increasingly rely on the Social Web for our news.

What is a hashtag

A hashtag is a single keyword preceded by a hash ( # ) symbol that is used to identify posts within the Social Web that feature a concept. It was initially introduced in Twitter as a way of indexing posts created on that platform and make them easy to search by concept. But an increasing number of other social-Web platforms have enabled the use of hashtags for the same purpose. They are typically used to embody a slogan or idea in an easy-to-remember way across the social Web.

Most social-media platforms turn these hashtags in to a hyperlink that shows a filtered view of all posts featuring that hashtag. They even use statistical calculations to identify the most popular hashtags on that platform or the ones whose visibility is increasing and present this in meaningful ways like ranked lists or keyword clouds.

How this came about

Earlier on in the COVID-19 coronavirus pandemic, an earlier hashtag called #ChinaLiedPeopleDied was working the Social Web. This was underscoring a concept with a very little modicum of truth that the Chinese government didn’t come clear about the genesis of the COVID-19 plague with its worldwide death toll and their role in informing the world about it.

That hashtag was used to fuel Sinophobia hatred against the Chinese community and was one of the first symptoms of questionable information floating around the Social Web regarding COVID-19 issues.

Australia passed through the early months of the COVID-19 plague and one of their border-control measures for this disease was to have incoming travellers required to stay in particular hotels for a fortnight before they can roam around Australia as a quarantine measure. The Australian federal government put this program in the hands of the state governments but offered resources like the use of the military to these governments as part of its implementation.

The second wave of the COVID-19 virus was happening within Victoria and a significant number of the cases was to do with some of the hotels associated with the hotel quarantine program. This caused a very significant death toll and had the state government run it to a raft of very stringent lockdown measures.

A new hashtag called #DanLiedPeopleDied came about because it was deemed that the Premier, Daniel Andrews, as the head of the state’s executive government wasn’t perceived to have come clear about any and all bungles associated with its management of the hotel quarantine program.

On 14 July 2020, this hashtag first appeared in a Twitter account that initially touched on Egyptian politics and delivered its posts in the Arabic language. But it suddenly switched countries, languages and political topics, which is one of the symptoms of a Social Web account existing just to peddle disinformation and propaganda.

The hashtag had laid low until 12 August when a run of Twitter posts featuring it were delivered by hyper-partisan Twitter accounts. This effort, also underscored by newly-created or suspicious accounts that existed to bolster the messaging, was to make it register on Twitter’s systems as a “trending” hashtag.

Subsequently a far-right social-media influencer with a following of 116,000 Twitter accounts ran a post to keep the hashtag going. There was a lot of very low-quality traffic featuring that hashtag or its messaging. It also included a lot of low-effort memes being published to drive the hashtag.

The above-mentioned Gizmodo article has graphs to show how the hashtag appeared over time which is worth having a look at.

What were the main drivers

But a lot of the traffic highlighted in the article was driven by the use of new or inauthentic accounts which aren’t necessarily “bots” – machine operated accounts that provide programmatic responses or posts. Rather this is the handiwork of trolls or sockpuppets (multiple online personas that are perceived to be different but say the same thing).

As well, there was a significant amount of “gaming the algorithm” activity going on in order to raise the profile of that hashtag. This is due to most social-media services implementing algorithms to expose trending activity and populate the user’s main view.

Why this is happening

Like with other fake-news, disinformation and propaganda campaigns, the #DanLiedPeopleDied hashtag is an effort to sow seeds of fear, uncertainty and doubt while bringing about discord with information that has very little in the way of truth. As well the main goal is to cause a popular distrust in leadership figures and entities as well as their advice and efforts.

In this case, the campaign was targeted at us Victorians who were facing social and economic instability associated with the recent stay-at-home orders thanks to COVID-19’s intense reappearance, in order to have us distrust Premier Dan Andrews and the State Government even more. As such, it is an effort to run these kind of campaigns to people who are in a state of vulnerability, when they are less likely to use defences like critical thought to protect themselves against questionable information.

As I know, Australia is rated as one of the most sustainable countries in the world by the Fragile States Index, in the same league as the Nordic countries, Switzerland, Canada and New Zealand. It means that the country is known to be socially, politically and economically stable. But we can find that a targeted information-weaponisation campaign can be used to destabilise a country even further and we need to be sensitive to such tactics.

One of the key factors behind the problem of information weaponisation is the weakening of traditional media’s role in the dissemination of hard news. This includes younger people preferring to go to online resources, especially the Social Web, portals or news aggregator Websites for their daily news intake. It also includes many established newsrooms receiving reduced funding thanks to reduced advertising, subscription or government income, reducing their ability to pay staff to turn out good-quality news.

When we make use of social media, we need to develop a healthy suspicion regarding what is appearing. Beware of accounts that suddenly appear or develop chameleon behaviours especially when key political events occur around the world. Also be careful about accounts that “spam” their output with a controversial hashtag or adopt a “stuck record” mentality over a topic.

Conclusion

Any time where a jurisdiction is in a state of turmoil is where the Web, especially the Social Web, can be a tool of information warfare. When you use it, you need to be on your guard about what you share or which posts you interact with.

Here, do research on hashtags that are suddenly trending around a social-media platform and play on your emotions and be especially careful of new or inauthentic accounts that run these hashtags.

Send to Kindle

A call to attention now exists regarding videoconferencing platform security

Article

Zoom (MacOS) multi-party video conference screenshot

A call to action is now taking place regarding the data security and user privacy of video conferencing platforms

Privacy watchdogs urge videoconferencing services to boost privacy protections | We Live Security

From the horse’s mouth

Officer Of The Privacy Commissioner Of Canada

Joint statement on global privacy expectations of Video Teleconferencing companies (English / Français)

Press Release (English, Français)

Office Of The Australian Information Commissioner

Global privacy expectations of video teleconference providers – with open letter

Federal Data Protection And Information Commissioner (Switzerland)

Audio And Video Conferencing Systems – Privacy Resource factsheet (English, Français, Deutsch, Italiano)

Open Letter (PDF)

Information Commissioner’s Office (United Kingdom)

Global privacy expectations of video teleconference providers

Open Letter (PDF)

My Comments

Thanks to the COVID-19 coronavirus plague, we are making increased use of various videoconferencing platforms for our work, education, healthcare, religious and social reasons.

This has been facilitated through the use of applications like Zoom, Skype, Microsoft Teams and HouseParty. It also includes “over-the-top” text-chat and Internet-telephony apps like Apple’s Facetime, Facebook’s Messenger, WhatsApp and Viber for this kind of communication, thanks to them opening up or having established multi-party audio/video conferencing or “party-line” communications facilities.

Security issues have been raised by various experts in the field about these platforms with some finding that there are platforms that aren’t fit for purpose in today’s use cases thanks to gaping holes in the platform’s security and privacy setup. In some cases, the software hasn’t been maintained in a manner as to prevent security risks taking place.

As well, there have been some high-profile “Zoombombing” attacks on video conferences in recent times. This is where inappropriate, usually pornographic, images have been thrown up in to these video conferences to embarrass the participants with one of these occurring during a court hearing and one disrupting an Australian open forum about reenergising tourism.

This has led to the public data-protection and privacy authorities in Australia, Canada, Gibraltar, Hong Kong, Switzerland and the United Kingdom writing an open letter to Microsoft, Cisco, Zoom, HouseParty and Google addressing these issues. I also see this relevant to any company who is running a text-based “chat” or similar service that offers group-chatting or party-line functionality or adapts their IP-based one-to-one audio/video telephony platform for multi-party calls.

Some of these issues are very similar to what has been raised over the last 10 years thanks to an increase in our use of online services and cloud computing in our daily lives.This included data security under a highly-mobile computing environment with a heterogeny of computing devices and online services; along with the issue of data sovereignty in a globalised business world.

One of the key issues is data security. This is about having proper data-security safeguards in place such as end-to-end encryption for communications traffic; improved access control like strong passwords, two-factor authentication or modern device-based authentication approaches like device PINs and biometrics.

There will also be the requirement to factor in handling of sensitive data like telehealth appointments between medical/allied-health specialists and their patients. Similarly data security in the context of videoconferencing will also encompass the management of a platform’s abilities to share files, Weblinks, secondary screens and other media beyond the video-audio feed.

As well, a “secure by design and default” approach should prohibit the ability to share resources including screenviews unless the person managing the videoconference gives the go-ahead for the person offering the resource. If there is a resource-preview mechanism, the previews should only be available to the person in charge of the video conference.

Another key issue is user privacy including business confidentiality. There will be a requirement for a videoconferencing platform to have “privacy by design and default”. It is similar to the core data-security operating principle of least privilege. It encompasses strong default access controls along with features like announcing new participants when they join a multi-party video conference; use of waiting rooms, muting the microphone and camera when you join a video conference with you having to deliberately enable them to have your voice and video part of the conference; an option to blur out backgrounds or use substitute backgrounds; use of substitute still images like account avatars in lieu of a video feed when the camera is muted; and the like.

There will also be a requirement to allow businesses to comply with user-privacy obligations like enabling them to seek users’ express consent before participating. It also includes a requirement for the platform to minimise the capture of data to what is necessary to provide the service. That may include things like limiting unnecessary synchronsing of contact lists for example.

Another issue is for the platforms to to “know their audience” or know what kind of users are using their platform. This is for them to properly provide these services in a privacy-focused way. It applies especially to use of the platform by children and vulnerable user groups; or where the platform is being used in a sensitive use setting like education, health or religion.

As well it encompasses where a videoconferencing platform is used or has its data handled within a jurisdiction that doesn’t respect fundamental human rights and civil liberties. This risk will increase more as countries succumb to populist rule and strongman politics and they forget the idea of these rights. In this case, participants face an increased exposure to various risks associated with these jurisdictions especially if the conversation is about a controversial topic or activity or they are a member of a people group targeted by the oppressive regime.

Another issue being raised is transparency and fairness. Here this is about what data is being collected by the platform, how it is being used, whom it is shared with including the jurisdictions they are based in along with why it is being collected. It doesn’t matter whether it is important or not. The transparency about data use within the platform also affects what happens whenever the platform is evolved and the kind of impact any change would have.

The last point is to provide each of the end-users effective control over their experience with the videoconferencing platforms. Here, an organisation or user group may determine that a particular videoconferencing platform like Zoom or Skype is the order of the day for their needs. But the users need to be able to know whether location data is being collected or whether the videoconference is tracking their engagement, or whether it is being recorded or transcribed.

I would add to this letter the issue of the platform’s user-friendliness from provisioning new users through all stages of establishing and managing a videoconference. This is of concern with videoconference platforms being used by young children or older-generation people who have had limited exposure to newer technologies. It also includes efforts to make the platform accessible to all abilities.

This is relevant to the security and user privacy of a videoconferencing platform due to simplifying the ability for the videoconference hosts and participants to maintain effective control of their experience. Here, if a platform’s user interface is difficult to use safely. videoconference hosts and participants will end up opting for insecure setups this making themselves vulnerable.

For example, consistent and less-confusing function icons or colours would be required for the software’s controls; along with proper standardised  “mapping” of controls on hardware devices to particular functions. Or there could be a user-interface option that always exposes the essential call-management controls at the bottom of the user’s screen during a videocall.

This issue has come to my mind due to regularly participating in a Skype videoconference session with my church’s Bible-study group. Most of the members of that group were of older generations who weren’t necessarily technology-literate. Here, I have had to explain what icons to click or tap on to enable the camera or microphone during the videoconference and even was starting it earlier to “walk” participants through using Skype. Here, it would be about calling out buttons on the screen that have particular icons for particular functions like enabling the camera or microphone or selecting the front or back camera on their device.

At least the public-service efforts have come about to raise the consistent security and privacy problems associated with the increased use of videoconferencing software.

Send to Kindle

Apple advises against Webcam shields on its newer Macbooks–could this be a trend that affects new low-profile laptops?

Article

Apple MacBook Pro running MacOS X Mavericks - press picture courtesy of Apple

Apple advises against using camera covers on their recent MacBooks.

Apple: Closing MacBooks with camera covers leads to display damage | Bleeping Computer

Previous coverage on HomeNetworking01.info

Keeping hackers away from your Webcam and microphone

My Comments

Apple has lately advised its MacBook owners to avoid buying and using accessory Webcam covers on their computers.

These Webcam shields are being seen as a security asset thanks to malware being used to activate the Webcam and microphone to surveil the computer’s user. But Apple advises against them due to the MacBook having the Webcam integrated with the circuitry for the screen and built in a very fragile manner. They also mention that the Webcam is used by macOS as an ambient light sensor and for advanced camera functionality.

Dell XPS 13 9360 8th Generation clamshell Ultrabook

with similar advice that could apply to other low-profile thin-bezel laptops like the Dell XPS 13

They recommend that if you use a device to obfuscate your Webcam, you use something as thin as a piece of ordinary printing paper and isn’t adhesive. This is because the adhesive can ruin your camera’s picture quality when you want to use it. As well, they recommend that you remove the camera-cover device before you close up your MacBook at the end of your computing session.

I also see this as a key trend that will affect other low-profile laptop computers like Ultrabooks and 2-in-1s that have very thin screen bezels like recent Dell XPS 13s. This is due to manufacturers designing the in-lid electronics in a more integrated manner so as to reduce the lid’s profile. Let’s not forget that with an increasing number of computers, the Webcam is part of facial-recognition-based device-level authentication if its operating system supports this function.

But you still need to protect your privacy when dealing with your laptop’s, all-in-one’s or monitor’s integrated Webcam and microphone.

Primarily, this is about proper computer housekeeping advice like making sure the computer’s operating system, applications, security software and any other software is up-to-date and with the latest security patches. As well, make sure that you know what is installed on your computer and that you don’t install software or click on links that you aren’t sure of.

You may find that your computer or monitor with the integrated Webcam will have some hardware security measures for that camera. This will be in the form of a shutter as used with some Lenovo equipment or a hardware switch that disables the camera as used with some HP equipment. Or the camera will have a tally light that glows when it is in use which is part of the camera’s hardware design. Here, make use of these features to protect your privacy. But you may find that these features may not affect what happens with your computer’s built-in microphone.

As well, you may find that your computer’s operating system or desktop security software has the ability to monitor or control which software has access to your Webcam, microphone or other sensors your computer is equipped with. Here, they may come with this functionality as part of a continual software update cycle. Let’s not forget that some Web browsers may bake camera-use detection in to their functionality as part of a major feature upgrade.

MacOS users should look at Apple’s support page for what they can do while Windows 10 users can look at Microsoft’s support page on this topic. Here, this kind of control is part of the fact that today’s desktop and mobile operating systems are being designed for security.

If your operating system or desktop security software doesn’t have this functionality, you may find third-party software for your computing platform that has oversight of your Webcam and microphone. One example for MacOS is Oversight which notifies you if the camera or microphone are being used, with the ability to detect software that “piggybacks” on to legitimate video-conferencing software to record your conversations. But you need to do some research about these apps before you consider downloading them.

Even if you are dealing with a recent MacBook or low-profile laptop computer, you can make sure your computer’s Webcam and integrated microphone isn’t being turned into a listening device.

Send to Kindle

More companies participate in Confidential Computing Consortium

Article

Facebook, AMD, Nvidia Join Confidential Computing Consortium | SDx Central

AMD, Facebook et Nvidia rejoignent une initiative qui veut protéger la mémoire vive de nos équipements  (AMD, NVIDIA and Facebook join an initiatiative to protect the live memory of our equipment) | O1Net.com (France – French language / Langue française)

From the horse’s mouth

Confidential Computing Consortium

Web site

My Comments

Some of online life’s household names are becoming part of the Confidential Computing Consortium. Here, AMD, Facebook, NVIDIA are part of this consortium which is a driver towards secure computing which is becoming more of a requirement these days.

What is the Confidential Computing Consortium

This is an industry consortium driven by the Linux Foundation to provide open standards for secure computing in all use cases.

It is about creating a standard software-development kits that are about secure software execution. This is to allow software to run in a hardware-based Trusted Execution Environment that is completely secure. It is also about writing this code to work independent of the system’s silicon manufacturer and to work across the common microarchitectures like ARM, RISC-V and x86.

This is becoming of importance nowadays with malware being written to take advantage of data being held within a computing device’s volatile random-access memory. One example of this include RAM-scraping malware targeted at point-of-sale / property-management systems that steal customers’ payment-card data while a transaction is in progress. Another example are the recent discoveries by Apple that a significant number of familiar iOS apps are snooping on the user’s iPhone or iPad Clipboard with their iPhones without the knowledge and consent of the user.

As well, in this day and age, most software implements various forms of “memory-to-memory” data transfer for many common activities like cutting and pasting. There is also the fact that an increasing number of apps are implementing context-sensitive functionality like conversion or translation for content that a user selects or even for something a user has loaded in to their device.

In most secure-computing setups, data is encrypted “in-transit” while it moves between computer systems and “at rest” while it exists on non-volatile secondary storage like mechanical hard disks or solid-state storage. But it isn’t encrypted while it is in use by a piece of computer software to fulfil that program’s purposes. This is leading to these kind of exploits like RAM-scraping malware.

The Confidential Computing Consortium is about encrypting the data that is held within RAM and allowing the user to grant software that they trust access to that encrypted data. Primarily it will be about consent-driven relevance-focused secure data use for the end-users.

But the idea is to assure not just the security and privacy of a user’s data but allow multiple applications on a server-class computer to run in a secure manner. This is increasingly important with the use of online services and cloud computing where data belonging to multiple users is being processed concurrently on the same physical computer.

This is even relevant to home and personal computing, including the use of online services and the Internet of Things. It is highly relevant with authenticating with online services or facilitating online transactions; as well as assuring end-users and consumers of data privacy. As well, most of us are heading towards telehealth and at-home care which involves the handling of more personally-sensitive information relating to our health through the use of common personal-computing devices.

The fact that Facebook is on board is due to the fact the social network’s users make use of social sign-on by that platform to sign up with or log in to various online services. In this case, it would be about protecting user-authentication tokens that move between Facebook and the online service during the sign-up or log-in phase.

As well,  Facebook has two fingers in the consumer online messaging space in the form of Facebook Messenger and WhatsApp products and both these services feature end-to-end encryption with WhatsApp having this feature enabled by default. Here, they want users to be sure that the messages during, say, a WhatsApp session stay encrypted even in the device’s RAM rather than just between devices and within the device’s non-volatile storage.

I see the Confidential Computing Consortium as underscoring a new vector within the data security concept with this vector representing the data that is in the computer’s memory while it is being processed. Here, it could be about establishing secure consent-driven access to data worked on during a computing session, including increased protection of highly-sensitive business and personal data.

Send to Kindle

Safe computing practices in the coronavirus age

Coronavirus Covid-19

The coronavirus plague is having us at home, inside and online more….
(iStock by Getty Images)

The Covid-19 coronavirus plague is changing our habits more and more as we stay at home to avoid the virus or avoid spreading it onwards. Now we are strongly relying on our home networks and the Internet to perform our work, continue studying and connect with others in our social circles.

But this state of affairs is drawing out its own cyber-security risks, with computing devices being vulnerable to malware and the existence of hastily-written software being preferred of tasks like videoconferencing. Not to mention the risk of an increasing flow of fake news and disinformation about this disease.

What can we do?

General IT security

But we need to be extra vigilant about our data security and personal privacy

The general IT security measures are very important even in this coronavirus age. Here, you need to make sure that all the software on your computing devices, including their operating systems are up-to-date and have the latest patches. It also applies to your network, TV set-top and Internet-of-Things hardware where you need to make sure the firmware is up-to-date. The best way to achieve this is to have the devices automatically download and install the revised software themselves.

As well, managing the passwords for our online services and our devices properly prevents the risk of data and identity theft. It may even be a good idea to use a password vault program to manage our passwords which may prevent us from reusing them across services.  Similarly using a word processor to keep a list of your passwords which is saved on removeable media and printed out, with both the hard and electronic copy kept in a secure location may also work wonders here.

Make sure that your computer is running a desktop / endpoint security program, even if it is the one that is part of the operating system. Similarly, using an on-demand scanning tool like Malwarebytes can work as a way to check for questionable software. As well, you may have to check the software that is installed on all of the computing devices is what you are using and even verify with multiple knowledgeable people if that program that is the “talk of the town” should be on your computer.

If you are signing up with new online services, it may even be a better idea to implement social sign-on with established credential pools like Google, Facebook or Microsoft. These setups implement a token between the credential pool and the online service as the authentication factor rather than a separate username and password that you create.

As well, you will be using the Webcam more frequently on your computing devices. The security issue with the Webcam and microphone is more important with computing setups that have the Webcam integrated in the computer or monitor, like with portable computing devices, “all-in-one” computers or monitors equipped with Webcams.

Here, you need to be careful of which programs are having access to the Webcam and microphone on your device. Here, if newly-installed software asks for use of your camera or microphone and it is out of touch with the way the software works, deny access to the camera or microphone when it asks for their use.

If you install a health-department-supplied tracking app as part of your government’s contact-tracing and disease-management efforts, remember to remove this app as soon as the coronavirus crisis is over. Doing this will protect your privacy once there is no real need to manage the disease.

Email and messaging security

Your email and messaging platforms will become an increased security risk at this time thanks to phishing including business email compromise. I have covered this issue in a previous article after helping someone reclaim their email service account after a successful phishing attempt.

An email or message would be a phishing attempt if the email isn’t commensurate with proper business writing standards for your country, has a sense of urgency about it and is too good to be true. Once you receive these emails, it is prudent to report them then delete them forthwith.

In the case of email addresses from official organisations, make sure that the domain name represents the organisation’s proper domain name. This is something that is exactly like the domain name they would use for their Web presence, although email addresses may have the domain name part of the address following the “ @ “ symbol prepended with a server identifier like “mail” or “email”. As well, there should be nothing appended to the domain name.

Also, be familiar with particular domain-name structures for official organisation clusters like the civil / public service, international organisations and academia when you open email or surf the Web. These will typically use protected high-level domain name suffixes like “.gov”, “.int” or “.edu” and won’t use common domain name suffixes like “ .com “. This will help with identifying whether a site or a sender is the proper authority or not.

Messaging and video-conferencing

Increasingly as we stay home due to the risk of catching or spreading the coronavirus plague, we are relying on messaging and video-conferencing software more frequently to communicate with each other. For example, families and communities are using video-conferencing software like Zoom or Skype to make a virtual “get-together” with each other thanks to these platforms’ support for many-to-many videocalls.

But as we rely on this software more, we need to make sure that our privacy, business confidentiality and data security is protected. This is becoming more important as we engage with our doctors, whether they be general practitioners or specialists, “over the wire” and reveal our medical issues to them that way.

If you value privacy, look towards using an online communications platform that implements end-to-end encryption. Infact, most of the respected “over-the-top” communications platforms like WhatsApp, Viber, Skype and iMessage offer this feature for 1:1 conversations between users on the same platform. Some, like WhatsApp and Viber offer this same feature for group conversations between users on that same platform.

Video-conferencing software like Zoom and Skype

When you are hosting a video-conference using Zoom, Skype or similar platforms, be familiar with any meeting-setup and meeting-management features that the platform offers. If the platform uses a Weblink to join a video-conference that you can share, use email or a messaging platform to share that link with potential participants. Avoid posting this on the Social Web so you keep gatecrashers from your meeting or class.

As well, if the platform supports password-protected meeting entry, use this feature to limit who can join the meeting. Here, it is also a good idea to send the password as a separate message from the meeting’s Weblink.

Some platforms like Zoom offer a waiting-room function which requires potential participants to wait and be vetted by the conference’s moderator before they can participate. As well these platforms may have a meeting-lockout so no more people can participate in the video-conference. Here, you use this function when all the participants that you expect are present in the meeting.

You need to regulate the screen sharing feature that your platform offers which allows meeting participants to share currently-running app or desktop user interfaces. Here, you may have the ability to limit this function to the moderator’s computer or a specified participant’s computer. Here this will prevent people from showing offensive imagery or videos to all the meeting’s participants. As well, you may also need to regulate access to any file-sharing functionality that the platform offers in order to prevent the video conference becoming a vector for spreading malware or offensive material.

Fake news and disinformation

Just like with the elections that count, the coronavirus issue has brought about its fair share of fake news and disinformation.

Here, I would recommend that you use trusted news sources like the respected public-service broadcasters for information about this plague. As well, I would recommend that you visit respected health-information sites including those offered “from the horse’s mouth” by local, regional or national government agencies for the latest information.

As well, trust your “gut reaction” when it comes to material that is posted online about the coronavirus plague, including the availability of necessary food or medical supplies. Here, he careful of content that is “out of reality” or plays on your emotions. The same attitude should also apply when it comes to buying essential supplies online and you are concerned about the availability and price of these supplies.

Conclusion

As we spend more time indoors and online thanks to the coronavirus, we need to keep our computing equipment including our tablets and smartphones running securely to protect our data and our privacy.

Send to Kindle

Reverse image searching–a very useful tool for verifying the authenticity of content

Tineye reverse image search

Tineye – one of the most popular and useful reverse image search tools

Article

How To Do A Reverse Image Search From Your Phone | PCMag

My Comments and further information

Increasingly, most of us who regularly interact with the Internet will be encouraged to perform reverse-image searches.

This is where you use an image you supply or reference as a search term for the same or similar images on other Internet resources. It can also be about identifying a person or other object that is in the image.

Increasingly this is being used by people who engage in online dating to verify the authenticity of the person whom they “hit” on in an online-dating or social-media platform. It is due to romance scams where “catfishing” (pretending to be someone else in order to attract people of a particular kind) is part of the game. Here, part of the modus operandi is for the perpetrator to steal pictures of other people that match a particular look from photo-sharing or social-media sites and use these images in their profile.

It also is being used as a way to verify the authenticity of a product being offered for sale through an online second-hand-goods marketplace like eBay, Craigslist or Gumtree. It also extends to short-term house rentals including AirBnB where the potential tenant wants to verify the authenticity of the premises that is available to let.

As well, reverse image searching is being considered more relevant when it comes to checking the veracity of a news item that is posted online. This is very important in the era of fake news and disinformation where online images including doctored images are being used to corroborate questionable news articles.

How do you do a reverse image search?

At the moment, there are a few reverse-image-search engines that are available to use by the ordinary computer user. These include Tineye, Google Image Search, Bing Visual Search, Yandex’s image search function and Social Catfish’s reverse-image-search function.

Dell Inspiron 14 5000 2-in-1 at Rydges Melbourne (Locanda)

A regular computer like this Dell Inspiron 14 5000 2-in-1 makes it easier to do a reverse image search thanks to established operating system and browser code and its user interface.

The process of using these services involves you uploading the image to the service including using “copy-and-paste” techniques or passing the image’s URL to an address box in the search engine’s user interface. The latter method implies a “search-by-reference” method with the reverse-image-search site loading the image associated with that link into itself as its search term.

Using a regular desktop or laptop computer that runs the common desktop operating systems makes this job easier. This is because the browsers offered on these platforms implement tabs or allow multiple sessions so you can run the site in question in one tab or window and one or two reverse-image-search engines in other tabs or windows.

These operating systems also maintain well-developed file systems and copy-paste transfer algorithms that facilitate the transfer of URLs or image data to these reverse-image-search engines. That will also apply if you are dealing with a native app for that online service such as the client app offered by Facebook or LinkedIn for Windows. As well, Chrome and Firefox provide drag-and-drop support so you can drag the image from that Tinder or Facebook profile in one browser session to Tineye running in the other browser session.

But mobile users may find this process very daunting. Typically it requires the site to be opened and logged in to in Chrome or Safari then opened as a desktop version which is the equivalent of viewing it on a regular computer. For Chrome, you have to tap on the three-dot menu and select “Request Desktop Site”. For Safari, you have to tap the upward-facing arrow to show the “desktop view” option and select that option.

Then you open the image in a new tab and copy the image’s URL from the address bar. That is before you visit Google Image Search or Tineye to paste the URL in that app’s interface.

Google has built in to recent mobile versions of Chrome a shortcut to their reverse-image-search function. Here, you “dwell” on the image with your finger to expose a pop-up menu which has the “Search Google For This Image” option. The Bing app has the ability for you to upload images or screenshots for searching.

Share option in Google Chrome on Android

Share option in Google Chrome on Android

If you use an app like the Facebook, Instagram or Tinder mobile clients, you may have to take a screenshot of the image you want to search on. Recent iOS and Android versions also provide the ability to edit a screenshot before you save it thus cutting out the unnecessary user-interface stuff from what you want to submit. Then you open up Tineye or Google Image Search in your browser and upload the image to the reverse-image-search engine.

How can reverse image searching on the mobile platforms be improved

What can be done to facilitate reverse image searching on the mobile platforms is for reverse-image-search engines to create lightweight apps for each mobile platform. This app would make use of the mobile platform’s “Share” function for you to upload the image or its URL to the reverse-image-search engine as a search term. Then the app would show you the results of your search through a native interface or a view of the appropriate Web interface.

Share dialog on Android

A reverse-image-search tool like Tineye could be a share-to destination for mobile platforms like iOS or Android

Why have this app work as a “share to” destination? This is because most mobile-platform apps and Web browsers make use of the “share to” function as a way to take a local or online resource further. It doesn’t matter whether it is to send to someone else via a messaging platform including email; obtain a printout or, in some cases, stream it on the big screen via AirPlay or Chromecast.

The lightweight mobile app that works with a reverse-image-search engine answers the reality that most of us use smartphones or mobile-platform tablets for personal online activity. This is more so with social media, online dating and online news sources, thanks to the “personal” size of these devices.

Conclusion

What is becoming real is reverse image searching, whether of particular images or Webpages, is being seen as important for our security and privacy and for our society’s stability.

Send to Kindle

Germany to instigate the creation of a European public cloud service

Article

Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

Europe to have one or more public cloud services that respect European sovereignty and values

Germany to Unveil European Cloud to Rival Amazon, Alibaba | ITPro Today

France, Germany want more homegrown clouds to pick from | ITNews (Premium)

My Comments

Germany is instigating a European-wide project to create a public cloud-computing service.  As well, France is registering intent in this same idea but of creating another of these services.

Both countries’ intention is to rival what USA and Asia are offering regarding public-cloud data-processing solutions. But, as I have said before, it is about having public data infrastructure that is sovereign to European laws and values. This also includes the management and dissemination of such data in a broad and secure manner.

Freebox Delta press photo courtesy of Iliad (Free.fr)

… which could also facilitate European software and data services like what is offered through the Freebox Delta

The issue of data sovereignty has become of concern in Europe due to the USA and China pushing legislation to enable their governments to gain access to data held by data service providers that are based in those countries. This is even if the data is held on behalf of a third-party company or hosted on servers that are installed in other countries. The situation has been underscored by a variety of geopolitical tensions involving especially those countries such as the recent USA-China trade spat.

It is also driven by some European countries being dissatisfied with Silicon Valley’s dominance in the world of “as-a-service” computing. This is more so with France where there are goals to detach from and tax “GAFA” (Google, Apple, Facebook and Amazon) due to their inordinate influence in consumer and business computing worlds.

or BMW’s voice-driven assistant for in-car infotainment

Let’s not forget that Qarnot in France has designed computers that put their waste heat to use for heating rooms or creating hot water in buildings. This will appeal to a widely-distributed data-processing setup that could be part of public cloud-computing efforts.

Questions that will crop up with the Brexit agenda when Europe establishes this public cloud service will include British data sovereignty if data is held on the European public cloud or whether Britain will have any access or input into this public cloud.

Airbus A380 superjumbo jet wet-leased by HiFly at Paris Air Show press picture courtesy of Airbus

… just like this Airbus A380 superjumbo jet shows European prowess in aerospace

Personally I could see this as facilitating the wider creation of online services by European companies especially with the view to respecting European personal and business values. It could encompass ideas like voice-driven assistant services, search engines, mapping and similar services for consumers or to encourage European IT development.

Could this effort that Germany and France put forward be the Airbus or Arianespace of public-cloud data services?

Send to Kindle

Why do I consider a digital fax vault an important feature for multifunction printers?

HP LaserJet Pro CM1415fnw colour laser multifunction printer

HP LaserJet Pro CM1415fnw colour laser multifunction printer – an example of a fax-capable multifunction that implements flash memory and fax-vault functionality

Nearly every multifunction printer that is pitched towards small businesses and SOHO operations is equipped with basic Group 3 fax functionality at least. Most will have the high-speed Super Group 3 functionality while most multifunctions that print colour will support colour faxing.

This is a feature still considered of value by people who work in the legal, medical and allied professions because they see it as the preferred way to exchange documents “over the wire”, especially in the context of requiring other parties to sign and send the documents.

But inbound documents that arrive via these machines can be seen by people other than the intended recipients which is something that can betray the required confidentiality that most of these documents require. This is an important issue as far as client confidentiality and privacy are concerned when it comes to legal, medical or similar issues; but can also be of concern with the intellectual property that most organisations accrue such as customer / member lists or financial reports.

This can be of concern in traditional workplace environments like clinics where you have people like late-night workers or contract cleaners existing in the office beyond normal business hours. It can also be exacerbated for small-time professionals who share or sub-let office space or use serviced offices.

It can also extend to people who maintain a home office, something that is an increasing trend for small-time practitioners or people who maintain a small public storefront at other premises. In this case, even though the business operator’s household respects the business’s confidentiality requirements, there is the issue of houses being occupied by house-sitters, couch-surfers and the like who may not respect that level of confidentiality even though you trust them. It includes tradespeople who come in to your home to perform work that you require.

What is a “fax vault” and how could this feature answer these situations?

Brother MFC-J5730DW multifunction inkjet printer

Brother MFC-J5730CDW fax-equipped multifunction which can be set up to forward incoming faxes to Dropbox or OneDrive

A “fax vault” function stores all incoming fax documents to a digital storage medium of some sort rather than printing them out. Then the user enters a code and selects a “print stored faxes” function to print out the documents. Such setups could allow functions like printing out selected faxes such as those that relate to the work they are dealing with, or forwarding the documents to another fax machine like the one installed at a convenience store or newsagent to be collected there. Some machines also provide a “forward to email” function where they send the received fax document via email as a TIFF-FAX file or a PDF file.

Some of these setups may provide PIN-protected dial-in access to allow users to enable or disable this function or forward documents to a nominated fax machine from the nearest telephone like their home phone. The functionality could also be facilitated through a Web page or mobile-platform app for a granular operating experience.

The most basic form of this kind of storage is in RAM memory in the machine, but a power failure can have you lose all the documents you have received. Better implementations of this storage can be in the form of non-volatile storage like a hard disk or solid-state storage device including an SD card or flash memory installed in the machine, or the data is held on a network storage like a NAS.

For example, HP implemented integrated flash memory within the LaserJet Pro CM1415fnw that I reviewed. This was in lieu of using RAM which is vulnerable to power failure, also leading to that printer implementing a comprehensive “fax vault” function,

Brother have come close to this ideal by equipping some of their printers with “Fax Forward To Cloud” functionality provided as a machine app where documents can be held in a Dropbox or similar online-storage account. But this feature still requires the user to have documents printed out as they come in.

As I review a fax-capable multifunction printer, I applaud manufacturers who offer this function in the proper manner in their products especially if it is feasible not to print documents that are held on the storage. As well, I applaud manufacturers who implement non-volatile memory technology, preferably user-upgradeable technology or use of external, network or common cloud-based storage for incoming faxes.

The feature is important to prevent others from seeing confidential faxes which come in through the machine thus assuring client confidentiality and privacy along with intellectual-property protection for professionals.

How to achieve this better

The manufacturers could implement flash memory in their fax-capable MFCs to avoid risk of document loss during power failures.

This can be taken further with the ability for the user to install standard-form storage devices like SDXC cards, M.2 or 2.5” SATA storage devices within the machine to allow the user to install higher-capacity storage devices at a later time; or a USB port to allow the connection of USB Mass-Storage devices like memory keys or external hard disks. SD-based cards or M.2 SSD sticks can work well with the manufacturer’s desire to maintain a compact design for their desktop multifunction printer devices.

Similarly, simplified resource-discovery protocols for NAS devices could make these devices discoverable by equipment other than regular computers. This could be facilitated through a Samba (open-source SMB implementation) client on the multifunction that implements the SMB protocol most of the NAS units use.

To protect the data on the mon-volatile storage device against further snooping should the non-volatile media unit be stolen, the fax-enabled multifunction printer could implement encrypted storage or simply encrypt the files associated with fax operation. File-based encryption can also work with data stored on a NAS unit.

The large capacities offered by newer cost-effective storage media would cater to businesses in the legal profession who are having to deal with large legal documents as a matter of course, or doctors who receive graphically-rich documents like medical imaging.

It also encourages the use of the non-volatile storage medium in these machines for storing fax documents yet to be transmitted such as with scheduled faxing or attempting to transmit a document to a machine that is busy or not answering. The benefit also applies when your machine is busy printing large documents and wants to keep itself available for other incoming faxes.

For regular printing from a network, the non-volatile storage option can allow for enqueued printing where each job waits on the storage medium until it is printed out. This can also work well with secure print-job release where you enter a code that you predetermine to collect your job before the job is turned out. It can also allow manufacturers to implement remote printing, public-printing facilities and the like as part of a multifunction’s feature set.

Let’s not forget scanning, where an efficient workflow can be created. Here, a user could scan many originals at the machine then go to their computer or mobile device to take them further by “picking them up” from the machine’s storage. A multifunction with advanced abilities could even have the ability to, for example, recognise many small originals like snapshot photos, business cards or till receipts that are scanned at once and create separate files for each original.

Conclusion

Having a digital fax vault as part of a small-business or SOHO-grade fax-capable multifunction’s feature set can be of value to professionals who place high value on client confidentiality.

Send to Kindle