Data security Archive

Australian Electoral Commission weighs in on online misinformation

Article

Australian House of Representatives ballot box - press picture courtesy of Australian Electoral Commission

Are you sure you are casting your vote or able to cast your vote without undue influence?

Australian Electoral Commission boots online blitz to counter fake news | ITNews

Previous coverage

Being cautious about fake news and misinformation in Australia

From the horse’s mouth

Australian Electoral Commission

Awareness Page

Press Release

My Comments

I regularly cover the issue of fake news and misinformation especially when this happens around election cycles. This is because it can be used as a way to effectively distort what makes up a democratically-elected government.

When the Victorian state government went to the polls last year, I ran an article about the issue of fake news and how we can defend ourselves against it during election time. This was because of Australia hosting a run of elections that are ripe for a concerted fake-news campaign – state elections for the two most-populous states in the country and a federal election.

It is being seen as of importance due to fact that the IT systems maintained by the Australian Parliament House and the main Australian political parties fell victim to a cyber attack close to February 2019 with this hack being attributed to a nation-state. This can lead to the discovered information being weaponised against the candidates or their political parties similar to the email attack against the Democrat party in the USA during early 2016 which skewed the US election towards Donald Trump and America towards a highly-divided nation.

The issue of fake news, misinformation and propaganda has been on our lips over the last few years due to us switching away from traditional news-media sources to social media and online search and news-aggregation sites. Similarly, the size of well-respected newsrooms is becoming smaller due to reduced circulation and ratings for newspapers and TV/radio stations driven by our use of online resources. This leads to poorer-quality news reporting that is a similar standard to entertainment-focused media like music radio.

A simplified low-cost no-questions-asked path has been facilitated by personal computing and the Internet to create and present material, some of which can be questionable. It is now augmented by the ability to create deepfake image and audio-visual content that uses still images, audio or video clips to represent a very convincing falsehood thanks to artificial-intelligence. Then this content can be easily promoted through popular social-media platforms or paid positioning in search engines.

Such content takes advantage of the border-free nature of the Internet to allow for an actor in one jurisdiction to target others in another jurisdiction without oversight of the various election-oversight or other authorities in either jurisdiction.

I mentioned what Silicon Valley’s online platforms are doing in relation to this problem such as restricting access to online advertising networks; interlinking with fact-check organisations to identify fake news; maintaining a strong feedback loop with end-users; and operating robust user-account-management and system-security policies, procedures and protocols. Extant newsrooms are even offering fact-check services to end-users, online services and election-oversight authorities to build up a defence against misinformation.

But the Australian Electoral Commission is taking action through a public-education campaign regarding fake news and misinformation during the Federal election. They outlined that their legal remit doesn’t cover the truthfulness of news content but it outlines whether the information comes from a reliable or recognised source, how current it is and whether it could be a scam. Of course there is the issue of cross-border jurisdictional issues especially where material comes in from overseas sources.

They outlined that their remit covers the “authorisation” or provenance of the electoral communications that appear through advertising platforms. As well, they underscore the role of other Australian government agencies like the Australian Competition and Consumer Commission who oversee advertising issues and the Australian Communications And Media Authority who oversee broadcast media. They also have provided links to the feedback and terms-and-conditions pages of the main online services in relationship to this issue.

These Federal agencies are also working on the issue of electoral integrity in the context of advertising and other communication to the voters by candidates, political parties or other entities; along with the “elephant in the room” that is foreign interference; and security of these polls including cyber-security.

But what I have outlined in the previous coverage is to look for information that qualifies the kind of story being published especially if you use a search engine or aggregated news view; to trust your “gut reaction” to the information being shared especially if it is out-of-touch with reality or is sensationalist or lurid; checking the facts against established media that you trust or other trusted resources; or even checking for facts “from the horse’s mouth” such as official press releases.

Inspecting the URL in your Web browser’s address bar before the first “/” to see if there is more that what is expected for a news source’s Web site can also pay dividends. But this can be a difficult task if you are using your smartphone or a similarly-difficult user interface.

I also even encourage making more use of established trusted news sources including their online presence as a primary news source during these critical times. Even the simple act of picking up and reading that newspaper or turning on the radio or telly can be a step towards authoritative news sources.

As well, I also encourage the use of the reporting functionality or feedback loop offered by social media platforms, search engines or other online services to draw attention to contravening content This was an action I took as a publisher regarding an ad that appeared on this site which had the kind of sensationalist headline that is associated with fake news.

The issue of online misinformation especially during general elections is still a valid concern. This is more so where the online space is not subject to the kinds of regulation associated with traditional media in one’s home country and it becomes easy for foreign operators to launch campaigns to target other countries. What needs to happen is a strong information-sharing protocol in order to place public and private stakeholders on alert about potential election manipulation.

Send to Kindle

Could a logical network be a data-security attribute?

Telstra Gateway Frontier modem router press picture courtesy of Telstra

The local network created by one of these routers could be seen as a way to attest proximity or effective control of these devices

In data security, there has to be a way to attest that a user has effective control of their computing devices when they are authenticating with a device or service. Increasingly, most of us are handling two or more devices in this context such as to move data between them, use one of them as an authentication factor or to verify mutual trust between two or more people.

The logical network, also called a subnet, represents the devices connected to the same router irrespective of what media they use to connect to this network like Ethernet or Wi-Fi wireless. It is represented at Layer 3 (Network Layer) on the OSI network model stack and is represented by IP (Internet Protocol) whether version 4 or 6. Routers that implement guest or hotspot/community network functionality create a separate logical network for the guest or hotspot network.

But a hotspot network can be set up to cover a large public area like a bar or cafe’s dining room or even the whole of a hotel or apartment block. As well, if a hotspot network is properly set up for the end users’ data security, it shouldn’t be feasible to discover other devices on that same logical network. This is thanks to IP-based isolation functionality that the router that serves the hotspot offers.

Here, the existence of devices on the same logical network can be used as a way to attest proximity of these devices or to attest effective control over them.

Use cases

Enhanced two-factor authentication

Increasingly, most of us who implement two-factor authentication use an app on a smartphone to provide the random key number that confirms what we have along with what we know. But in a lot of situations, we have the smartphone and the computer we want to use to gain access to the resources existing on the same network. This may be our home or business network, a public-access hotspot or tethering our laptop to a smartphone for Internet access via the mobile network.

Having both devices on the same network could be seen as a way to assess the security level of a multifactor authentication setup by assessing the proximity of the devices to each other. It is more so if the devices are communicating to each other behind the same Wi-Fi access point or Ethernet switch. This concept would be to prove that both devices are effectively being controlled by the same user.

It can also work as an alternative to Bluetooth or NFC as a device-to-device link for a transcription-free multi-factor authentication setup if you are thinking of two devices that are able to connect to a network via Wi-Fi. This is more so where the issue of phishing of multi-factor authentication setups involving the transcription of a one-time passcode has been raised.

Discovery of devices in the same network

The same concept can also be examined in the context of interlinking between devices that exist on the same network or even determining one’s “home” domain in the context of AV content rights. In some ways, the concept could also be about tokenised login for online services where a user’s credentials are held on one device like a smartphone but a session-based token is passed to another device like a set-top box to facilitate login from that device.

It is a practice that has been used with UPnP and Bonjour technologies primarily for device and content discovery. The most obvious situation would be to use Apple AirPlay or Google Chromecast to throw content to the big screen from a compatible mobile device. It also works in the same context when you set up and use a network-based printer from your computer or smartphone.

Across-the-room discovery and mutual-user authentication

Another use case this concept can apply to is “across-the-room” device discovery and mutual-user authentication. This would be used for data transfer, social networks or online gaming where you intend to share a resource with someone you talked with, invite them as a friend / follower in a social network or engage them in an online game.

Proof of presence at a particular location

Use of a logical network’s attributes can be a tool for proving one’s presence at a particular location. This is more so where the Internet service for that network is being provided using a wired-broadband or fixed-wireless-broadband approach for its last-mile, like with most home and business networks. It may not work with “Mi-Fi” setups where a mobile broadband network is being implemented for the last-mile connection.

Here, it could be used for time-and-attendance purposes including “proof of presence” for home-based carers. Or it could be used to conditionally enable particular functionality like app-based on-premises food-and-beverage ordering at a venue. To the same extent, it could be used to protect delivery services against orders that were instigated at one location being sent to another location.

Methods

Both devices existing on the same network

In a premises-specific network like most small networks, testing that both devices are on the same subnet / logical network behind the same gateway device (router) could be a way to attest that both devices are in the same premises. The same test can be performed by the use of a “hop count” on Layer 3 of the OSI network-layer tree, which also determines the number of logical networks passed.

It is a method used with a wide range of network-based AV and printing applications to constrain the discovery and control of devices by controller software to what is local to you.

But assessing whether the two devices are connecting to the same access point on a Wi-Fi network can be used to attest whether both devices are in the same room in a large Wi-Fi setup. It may not work in a network setup where different devices connect to a network using different connection media like Ethernet, Wi-Fi Wireless or HomePlug powerline. This also includes situations where multiple access points cover the same room or floor such as with large rooms or open-plan areas.

Another approach that can be used for Wi-Fi hotspot networks honouring the Hotspot 2.0 / Passpoint setup would be to read the “venue” metadata for that network and compare whether both devices are in the same venue. If this technology is able to support subdividing of a logical venue such as based on floors or rooms, this could work as a way of further attesting whether both devices are in close proximity.

A Wi-Fi wireless network can be attested through the use of the BSSID which identifies the same access point that the devices are connecting through or the ESSID which is the network’s “call sign”. The BSSID could be used for a public hotspot network including a “hotzone” network ran by a local government or ISP,or a large network that uses many access points while the ESSID approach could be used simply for a small network with a few access points.

Trusted networks with authentication certificates

On the other hand, there could be the concept of creating “trusted networks” where authentication certificates relating to the network are stored in the network’s gateway device or in infrastructure devices associated with that network. It could be used to work against man-in-the-middle attacks as well as a stronger approach to attesting trust between the client device and the network it proposes to access.

The initial appeal for this concept could be to attest the authenticity of a business’s network especially in the face of business partners or customers who want to use that network as a gateway to the Internet or use the host business’s resources.

It could have some appeal to the food, beverage and hospitality industry where particular cafes and bars are often seen by individuals and workgroups as favoured hangouts. In this context, if an individual wants to use the Wi-Fi public-access network in their favourite “watering hole” or “second office”, the “trusted network” approach can be used to verify to the customer that they have connected to the venue’s network at the venue to avoid “man-in-the-middle” attacks.

This approach is being implemented with the Wi-Fi Passpoint / Hotspot 2.0 technology to provide for the simple yet secure public-access Wi-Fi network.

The same approach can be used with a home network if the router can store data like digital certificates in onboard non-volatile memory. Then this data could be created by the ISP as a “known trusted network” with a network-specific certificate relating to the router and network equipment. Such a service could be offered by an ISP as a value-added service especially to cater for “proof-of-presence” applications.

Conclusion

Using a logical network as a data-security attribute can be effective as a security tool for some use cases. With current network equipment, this can be a surefire way of assessing device proximity.to other devices. But use of certificates stored on network-infrastructure devices like routers and provided by ISPs or similar entities can be of use for authenticated-network or proof-of-presence applications.

Send to Kindle

Constance Hall puts trolling and bullying in the TV spotlight on Dancing With The Stars

Article

‘It hurts me so much’: Constance Hall targeted by trolls after reality TV announcement | Sydney Morning Herald

Dancing with the Stars: Constance Hall is ready to rumba! Here’s what you need to know about her | NowToLove.com

Video – Click or tap to play (Facebook page)

>

Previous Coverage on HomeNetworking01.info

Dealing with Internet trolls

Useful Resources

Crash Override Network – A resource centre based in the USA focused on online-abuse issues.

My Comments

Constance Hall, an online personality who has run a blog and is maintaining a Facebook public presence, is participating in the latest Dancing With The Stars season on Ten Network Australia. But because she had decided to star in this popular dancing talent-quest TV show, she got a lot of online abuse from various trolls. She often copped this abuse in her online presence due to how she looks, her outspokenness or her alternative lifestyle.

I have seen this happen with two of the contestants in MasterChef Australia season 10. One of them was accused of being close to George Calombaris because she had him taste a sample of something she was preparing before cooking it in quantity for the contest, while the other who was a nutritionist was turning out desserts which went against the grain of someone whose profession was about “clean eating”.

Even a few years ago, I observed a situation of online abuse directed at a cafe I was visiting because they wouldn’t accept the placement of a protest group’s campaign flyers near their till. It was while their neighbourhood was effectively being divided by the potential presence of a McDonalds fast-food restaurant with this protest group against the proposed development. I even defended that they had the right to defend their space but they even had to effectively shut down the commenting ability on their Facebook presence.

This kind of bullying has become very toxic with the Gamergate saga which was an attack on female game developers and female gaming journalists. This situation got to a point where there were death threats against one of the game developers along with the publication of her home address and phone number.

Typically this can be about a perverse innuendo about intimate relationships involving one or more of the victims; that the victim doesn’t “fit the mould” expected of them; or that they are “taking the wrong side” on an issue.

But Constance Hall produced a Facebook video addressing this kind of behaviour in the online space. Here, it was about stopping the acceptance and normalisation of online bullying and she had related it to what happens to children and teenagers. This video was even played as part of the introductory video package that preceded her dance routine in Dancing With The Stars. This meant that the issues being raised in the video had a good chance of being aired on prime-time traditional TV.

It is also part of her personal campaign to reach out to and encourage teenagers and other young people who are at risk of being bullied during their life’s journey especially in the online context.

A good practice to deal with trolling in an online environment would be to “insert” some common-sense in to the conversation. It may be best to approach it in a neutral form without appearing to take sides.

If it is getting out of control, most social-media platforms and some other online environments have the ability to “mute” participants or “hide” conversation threads so you don’t have them in your view. Social-media platforms also have the ability to block participants so they can’t follow you. As well, you may also have to report offensive behaviour to the online environment that it’s occurring in if it is becoming consistent.

If the online environment has the ability for users to upvote or downvote comments or threads, it can be used as a way to bury questionable comments. It is a feature that has appeared in some commenting platforms like Disqus or some online forum software, but is slowly being rolled out to major social media platforms like Facebook.

I applaud Constance Hall for how she has turned a negative experience around for something positive as well as underscoring a “you can do it” approach. This is more so for people who are or are likely to become an online personality who can easily fall victim to the ugly side of the Internet.

Send to Kindle

Computers that are secure by design are less likely to be bugs

Article

Dell XPS 13 8th Generation Ultrabook at QT Melbourne rooftop bar

Running modern always-updated operating systems and applications on your laptop is a way to keep your computing environment safe and secure.

Should you be scared of your laptop’s webcam? | ZDNet

Previous Coverage

Regular operating systems and their vulnerability to security threats

My Comments

An article appeared about whether one should be scared of their computer’s integrated Webcam and microphone. Here, a Webcam and microphone integrated in a computer or monitor or a USB Webcam that is always plugged in could turn the computer in to a surveillance device. But it highlighted the fact that recent versions of operating systems and productivity applications are “secure by design” when used to default settings.

It went through two different “what-if” hacking scenarios with different software combinations to see how hard they were to penetrate in order to “open up” the Webcam. The trigger point was to receive a “loaded” document with instructions that the user must follow, something that can be done through an email phishing attempt. Here, the document would have a macro that would install malware to open up the Webcam and stream its vision remotely.

The first scenario involves a Windows 10 computer running the latest version of Microsoft Word while the second scenario involved MacOS 10.14 Mojave and the latest version of LibreOffice. All operating systems and applications were run in the default protected mode but MacOS Mojave was temporarily configured to admit software from other sources in order to admit LibreOffice on to the Mac.

What was highlighted was the recent operating systems’ flagging or blocking of questionable software when the article’s author was asked to click on the required link within the document. The operating systems having their own basic endpoint-protection software underscored the ability to keep users safe from rogue software. Even productivity application software running documents supplied by email or from questionable sources in a protected mode to inhibit the execution of macros was also highlighted.

Creative Labs LiveCam Connect HD Webcam

Webcams, whether external like this one or integrated in a computing device, aren’t able to be bugs if you keep your computer software up-to-date with the latest patches and have it running “secure by default”.

This meant that neither the Webcam nor the microphone could not be accessed without the user knowing. It was demonstrating the recent “secure by design” approach of newer regular-computer environments that assured the average user of their data security. You may harden that attack surface by masking an integrated Webcam that is part of your computer or monitor, or disconnecting an external Webcam.

Unless you need to, keep your computer’s operating system, applications and endpoint-security utilities running in a “default-for-security” manner. This also includes updating them to the latest version, preferably with the software updating themselves.

If you are supporting other systems, don’t disable the computing environment’s security features unless you are sure they need to be disabled. Also educate the other users about data-security risks including the security warnings that will pop up on their computer.

If you are dealing with an old computer that is running a very old operating system and application software that doesn’t have the “secure by design” approach, you may have to cover or disconnect the Webcam. This is more so if it is found to be running the software “out of the box” without any patches or updates applied to it.

In most cases, the “secure-by-design” approach of most modern computing environments allows us to be able to use regular or mobile computer equipment in a secure manner.

Send to Kindle

Business-email compromise phishing now affects consumers

Article

House in Toorak

The sale of a property is an area where consumers can easily be caught up in a business-email compromise scam

Email crooks swindle woman out of $150K from home sale | Naked Security blog

An email scam has caused $200,000 in losses to real estate agents and home buyers in Victoria | Smart Company

My Comments

Ordinary householders can be at risk of a “business email compromise“ phish attempt in the same way as those in large business.

The business email compromise scam

This scam typically has the trickster research as much as they can about their victim and his or her employer or business partners. The victim that is usually targeted is someone who is likely to facilitate business-sensitive transactions or handles business-sensitive data like the payroll. They will find out whom they report to within the organisation such as the chief financial officer, or beyond the organisation like their accountant, lawyer or the tax department.

Then they place an urgent request to the victim to wire funds to a particular account as part of a wire fraud. Or they could be asked to reply to the email with organisationally-sensitive data like employee data typically presented as a “wages and tax-witholding” statement like a W2 (USA), P60 (UK and Ireland) or Group Certificate (Australia) to facilitate identity theft against the business’s staff.

How can ordinary people get caught up in these scams?

Apartment block in Elwood

as can having that rental apartment managed by someone else

But this kind of email scam can similarly happen with personal transactions, especially those that are high-stakes in nature, typically requiring the engagement of legal counsel. A key example of these transactions would be the sale of real-estate, businesses or investments.

Similarly, the probate settlement of a deceased estate or a property settlement after a divorce or separation could be at risk because these can involve a collection of items including high-value goods like real-estate or collectables. In that case, you are dealing with a real-estate transaction along with the valuation and sale of items.

It can also extend to transactions where you are delegating an agent to manage assets. Examples of these include trust funds typically for minor children, powers of attorney, or rental properties managed by a property manager or estate agent.

These transactions typically involve the frequent exchange of documents during the closure or settlement period where the transaction is in the process of being realised. They also involve dealing with different entities like conveyancers, law firms, estate agents and the like to facilitate the transactions. In addition, due to electronic transaction technologies like online document signing, there will be many emails between the parties that will have links to various resources like document repositories including document-signing platforms or results pages. They are also vulnerable towards the end of the settlement period where a last-minute change could be rushed in “under the radar”.

What can happen, for example, is that a fraudulent email could be used to “steer” the proceeds of a house sale away from the vendor’s account towards a fishy-sounding account.  Or funds due to an estate’s beneficiary could be steered away to an account not under the control of that person.

What can you do?

Compose Email or New Email form

Protect yourself against this scam by practising safe email habits

To protect yourself, make sure everything about the transaction is properly “cut and dried” as it evolves. This includes identifying and documenting sources, currencies and destinations of any funds along with procedures affecting the high-stakes transaction at the start of the transaction. Especially be careful of last-minute changes that crop up towards the end of the settlement.

Protect email accounts that are party to the transaction such as implementing security measures that the email service or client software would provide. With Webmail services,using multi-factor authentication may work as a secure measure, as will verifying that you log in to the service at its known proper address.

Carefully examine emails associated with the transaction to be sure they come from the proper email addresses. As far as links to online resources are concerned, make sure you know the proper domain name for these resources and that the links point to resources at that domain name. Attachments should also come through as proper representations of their filetype and you may have to use your endpoint security software to scan for document-laden malware.

Similarly, you may have to make sure Word documents or Excel spreadsheets are viewed in “Protected View” where macros cannot be run or the document can’t be edited. You would need to exit this mode if you are editing the document such as filling in a form or amending a spreadsheet, or printing it out.

In some cases, a regular personal computer running desktop applications and Web browsers may become a better device to use for verification than a mobile-platform device like a smartphone or tablet. This is because the desktop operating system and software tends to offer a more detailed user experience than their mobile equivalents.

If someone changes their email or other communications details, confirm these details through another communications means that you and them trust. You may have to use one of the prior or alternate communications details as a tool for confirmation if a significant number of details is changed such as through a change of employment.

You may have to double-check invoices, account numbers and the like directly with the other party especially if these details are changed. It is best to do this in person or on the phone using independently-verified phone numbers such as numbers you already have for them.

Avoid the use of untrusted networks like insecure public-access networks to do your sensitive business. Here, you may find that using a mobile-broadband connection and/or a VPN may work with this kind of business if you are away from home or office networks you can trust.

Be especially careful about creditors where the payment-destination account number, the payment method or currency changes during the course of your business. There may be a legitimate reasons such as a creditor changing banks or accounts for something that suits their needs better. But an impostor could be steering money that you owe them to an account under the control of the grifter who is impersonnating them.

If the high-stakes transaction has any international dimension about it, don’t be afraid to seek consular help regarding any aspect of that transaction. It may mean talking with your country’s foreign-affairs government department or the embassy or consulate associated with the foreign country. This is now important with people relocating overseas while maintaining assets like homes in their own or other countries, or goods being purchased via the Internet from foreign sellers.

For example, participants of a transaction conducted across international borders can use consular help to verify each others’ identities. Similarly, they can organise official translation of any official documents that are part of the transaction and are in a language that one of the parties doesn’t understand. Or you simply may need to confirm the legitimacy of that transaction in the foreign country including any steps you need to take.

Conclusion

We as consumers can become vulnerable to the business-email compromise scam when we are dealing with high-stakes transactions like real-estate purchases. To protect yourself, it’s about secure computing and email practices along with making sure everything in the transaction is “cut and dried” including verifying changes through another communications path you trust.

Send to Kindle

European Union’s data security actions come closer

Article

Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

The European Union will make steps towards a secure-by-design approach for hardware, software and services

EU Cybersecurity Act Agreed – “Traffic Light” Labelling Creeps Closer | Computer Business Review

Smarthome: EU führt Sicherheitszertifikate für vernetzte Geräte ein | Computer Bild (German Language / Deutschen Sprache)

From the horse’s mouth

European Commission

EU negotiators agree on strengthening Europe’s cybersecurity (Press Release)

My Comments

After the GDPR effort for data protection and end-user privacy with our online life, the European Union want to take further action regarding data security. But this time it is about achieving a “secure by design” approach for connected devices, software and online services.

This is driven by the recent Wannacry and NotPetya cyberattacks and is being achieved through the Cybersecurity Act which is being passed through the European Parliament. It follows after the German Federal Government’s effort to specify a design standard for routers that we use as the network-Internet “edge” for our home networks.

There will be a wider remit for EU Agency for Cybersecurity (ENSA) concerning cybersecurity issues that affect the European Union. But the key issue here is to have a European-Union-based framework for cybersecurity certification, which will affect online services and consumer devices with this certification valid through the EU. It is an internal-market legislation that affects the security of connected products including the Internet Of Things, as well as critical infrastructure and online services.

The certification framework will be about having the products being “secure-by-design” which is an analogy to a similar concept in building and urban design where there is a goal to harden a development or neighbourhood against crime as part of the design process. In the IT case, this involves using various logic processes and cyberdefences to make it harder to penetrate computer networks, endpoints and data.

It will also be about making it easier for people and businesses to choose equipment and services that are secure. The computer press were making an analogy to the “traffic-light” coding on food and drink packaging to encourage customers to choose healthier options.

-VP Andrus Ansip (Digital Single Market) – “In the digital environment, people as well as companies need to feel secure; it is the only way for them to take full advantage of Europe’s digital economy. Trust and security are fundamental for our Digital Single Market to work properly. This evening’s agreement on comprehensive certification for cybersecurity products and a stronger EU Cybersecurity Agency is another step on the path to its completion.”

What the European Union are doing could have implications beyond the European Economic Area. Here, the push for a “secure-by-design” approach could make things easier for people and organisations in and beyond that area to choose IT hardware, software and services satisfying these expectations thanks to reference standards or customer-facing indications that show compliance.

It will also raise the game towards higher data-security standards from hardware, software and services providers especially in the Internet-of-Things and network-infrastructure-device product classes.

Send to Kindle

Connected novelties and toys–security and useability issues that affect this product class

Giftware chook (rooster)

Connected versions of classic novelties and giftware will be subject to severe scrutiny

An issue that is rearing its ugly head is the rise in availability of connected novelties and toys. They are toys, novelties, giftware, seasonal decorations and other items that are able to connect with your computer or network. This connectivity function is often sold as one of the key marketing features with it able to work with an online service of some sort.

When I talk of toys, I don’t just talk of what children play with with but also other toys that adults end up playing with. These can include the so-called “executive toys” that live on the office desk for one to keep the other hand busy while they are on the phone.

Who typically sells these products

Toys and novelties are typically sold through a large range of online and bricks-and-mortar retailers, whether they be toy stores, gift stores, souvenir outlets or multi-facet outlets including department and discount stores. In some cases such as rural areas, a store like a newsagent’s could even sell novelties or toys.

Another factor is that novelties are given away to people and businesses as a gift or premium. This can typically happen as part of a “loot bag” offered out at conferences or tradeshows or simply used as a giveaway during a presentation to encourage audience participation.

Christmas wreath

Seasonal decorations that connect to the Internet can also be a security or setup risk

The common factor here is that most of the outlets that sell this kind of product are staffed by people who don’t have much technological know-how. This can affect the procurement process affecting whether the item exhibited at the gift fair should be stocked, or providing customer advice during and after the sale including how to get the connected novelty fully operational.

Artisans who make these gifts and novelties

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

Your Amazon Echo will soon be expected to work with a wide range of toys and novelties

There is also the fact that craftspeople like to make various toys, novelties, gifts and other items and sell them directly to customers or on a wholesale basis. But they do want to add some extra functionality like musicality or flashing lights to some of their product lines.

Typically, if they want this extra functionality in these gifts that they make, they have someone else make and supply the necessary components like clockwork movements or electronic-circuit kits to fulfil the extra functionality in a pre-assembled form.  Then the artisan installs the pre-assembled mechanisms or circuits in the toy or gift as part of putting the whole thing together.

It allowed these artisans to focus on their craftwork and build the items they want to sell, while being able to offer a wide range of goods. The same comments that apply to finished goods also apply to the various components and kits that are being sold to these artisans for their projects.

In this case, the artisans have to be aware of what they procure when they are being sold a “connected functionality” kit for installation in their projects. For them, they have to be aware of customer-support issues including setup and data-security issues regarding this extra functionality.

Connected modules for construction sets and similar hobbies

The same concept also extends to construction-set platforms like Meccano, Lego and FischerTechnik where children and adults build items using the pieces that are part of the respective platforms. In this case, anyone to do with these platforms could offer connected modules or kits that have the ability to control one or more items in their platform-based project like a motor, light or solenoid using an “Internet Of Things” approach. Here, these modules have to be able to seen as equivalent to a connected toy or novelty, especially if the idea is to implement cameras, microphones or GPS sensors.

It also applies to model railways, track-based car-racing sets and the like where they can be extended with functionality modules sold by the set’s vendor or a third party catering to these hobbies. Again the modules also need to be designed for security if they are capable of being part of the Internet of Things.

Use of these items

There is the desire for people to buy these toys and novelties as gifts for others in their life. It also includes the fact that the recipient wants to get the item “up and running” as soon as possible.

This will involve having the device connected to a host device through Bluetooth or USB or to a home network for proper reliable use. It should be about a standard process that is implemented for onboarding including the installation of any extra software.

Key security issues

A key security issue concerning the connected toy, novelty or similar device is that it can be an espionage item presented in an innocuous form. It can concern us both at home and in the office because we can easily be talking about items that are confidential and sensitive in our personal and business lives.

This was highlighted in a crime-fiction form to the Germanic viewership in Europe through the Munich-based Tatort “Wir Kriegen Euch Alle” (We Get You All) episode shown there on Sunday 9 December 2018. This story was focused around a connected doll that was given by strangers to various childrens’ families in middle-class Munich and was used as a surveillance tool to facilitate crimes against the families.

It underscored that Germany has some very strict policies where the sale of surveillance devices that are disguised as innocuous items isn’t allowed in that country. But, in the story, these dolls were imported in to Munich from a location in Austria which is a short drive away and facilitated by the Schengen Agreement in the European Union.

Let’s not forget the recent cyberattacks such as the Mirai botnet that were facilitated by dedicated-purpose devices like network-infrastructure equipment and videosurveillance cameras which were running compromised software. Then there are factors regarding data-storage devices and “bag-stuffer” novelties given away during business conferences where there is the possibility of them being loaded with questionable software.

What would I like to see

Security

There has to be identification on the toy’s or novelty’s packaging about what kind of sensors like location sensors, microphones or cameras that the device has, as well as whether the device transmits data to online services. This includes whether the device does this directly or via intermediary software running on other computer devices such as mobile devices running companion mobile-platform apps. Even a hang tag attached ti the novelty could highlight what kind of sensors or online services it uses which would be important for those items sold without packaging.

Preferably, this can be achieved through standard graphical symbols indicating the presence of particular sensors or the use of online services and social networks. It can also identify whether the toy’s or novelty’s functionality are dependent on these sensors or online services.

App stores and other software platforms that host “connector” software have to implement stringent permissions for these kind of devices especially if they use a microphone, camera or location sensor. There could be standards on whether the software is allowed to record from these sensors over a long time or keep the recording persistent on the host device or online service.

A limitation I would also like to see for connected toys and novelties that if they work with another computing device including a smart speaker, the connection can only be effectively within the same premises. This can be tested through the use of a peripheral-grade connection like Bluetooth or USB to a computing device or limiting the range of discovery for network-based devices to that of the same logical private network or subnet. Here, it represents all the devices on the LAN side of a home-network’s router and excludes devices existing on other logical networks served by the same physical device like “guest” or “community” networks.

As far as Bluetooth is concerned, the toys should implement authentication processes during the setup phases. Then the device ceases to be able to be discovered once it is paired with a host device. It is like what we are seeing with Bluetooth headsets and similar devices that have been recently released. They may also have to work on a limited radio range to prevent successful connection from a distance.

There should also be a simple “factory-reset” process to allow the user to place the toy or novelty in to setup mode, effectively wiping data from the device. This allows a recipient to effectively “claim possession” of the device as if it is new, avoiding the situation where they may be given something that is compromised to do what someone else wants it to do. It also applies to situations where you are dealing with ex-demo stock or gift-fair samples.

This should also apply to online services associated with these toys or novelties where the user has proper account control for the device’s presence on that service and any data collected by that device.

There are devices that observe particular functions according to a particular device class supported by many platforms like a novelty nightlight or illuminated Nativity scene that works with a “smart-home” setup or a novelty Bluetooth speaker. These devices have to work according to the standards in force for that device class and its connection to the host device or network. It is more important where the device may perform further tricks while running alongside dedicated vendor-created software but is able to have basic functionality without this software.

A software-level security approach could be achieved through an open-source or peer-reviewed baseline software that ticks the necessary boxes. This would apply to the firmware installed in the device and any apps or other companion software that is required to be run on other computing devices for the novelty to operate. It also includes a requirement that this software be reviewed regularly for any bugs or weaknesses that could be exploited, along with compliance requirements.

This could be assessed according to a set of European norms because the continental-European countries are very concerned regarding privacy thanks to their prior history.

As far as modules for integration in to toys, novelties and giftware is concerned, the modules should meet the same requirements as finished products that would have the same functionality. Craftspeople should also be aware of data security and user privacy issues when it comes to choosing modules for their projects that are dependent on computer devices or networks.

Setup and Connectivity

Another area that is a sore point for connected toys and novelties is bringing these devices on board for you to use. In a lot of cases, this is exacerbated through awkwardly-written instructions that can test one’s patience and not much knowledge about what is needed for the device to work fully.

The device packaging could use Wi-Fi, Bluetooth or other standard logos to indicate what kind of connectivity it needs to operate fully. This is to be highlighted with the “app store” logos for various operating-system app stores if the device is dependent on companion apps for full functionality. Similarly, use of other official platform logos can be used to identify compatibility with platforms like smart-TVs or voice-driven home-assistants.

Simple-yet-secure setup and onboarding procedures are to be paramount in the design of these devices. For Bluetooth-based devices, they should use “simple-pairing” such as pressing a button on the device to make them discoverable. This is even made easier with a trend towards “out-of-the-box” discoverability if the device isn’t paired with any host. Then the user activates their host device in “Bluetooth Scan” mode to discover the device,  subsequently with them selecting the device through its presentation name.

Windows, Android and iOS are even implementing simplified device-discovery routines for Bluetooth devices, with the ability to lead users to visit the app store to install complementary software. This will make things easier for users to get the toy or novelty up and running.

Wi-Fi-based devices would have to use WPS-PBC push-button setup, Wi-Fi Easy Connect, or other simplified setup processes for integration with the home network. It also applies to other network connection standards where you have to enrol the device on to that network.

Smart-home devices that implement Zigbee, Z-Wave and similar standards also have to implement simplified discovery protocols implemented in these standards to bring them on-board.

In relationship to security, I underscored the need for use of device-class standards as much as possible. But it also applies to connectivity and useability where a device that honours device-class standards is also easier to use because you are operating it the same for its peers.

Conclusion

This year will become a time where security and useability will be of critical importance when toys, novelties and other similar goods that connect to the home network and the Internet are designed and sold to consumers. Here, these issues may avoid these kind of toys ending up in disuse due to security or setup issues.

Send to Kindle

Amnesty International reports on recent email phishing attacks

Article

How Hackers Bypass Gmail 2FA at Scale | Motherboard

Hacker spoofing bypasses 2FA security in Gmail, targets secure email services | ZDNet

My Comments

Recently, it has been revealed that hackers were attacking users of secure email sites by compromising the two-factor authentication that these sites implement.

This has been found to be an attack perpetrated by nation-states against journalists, human-rights defenders, non-government organisations and their allies in the Middle East and North Africa over 2017 and 2018. Here, this user base were using GMail and Yahoo Mail Webmail services and Protonmail and Tutanota secure Webmail services that were compromised. This is because the Webmail setup typically allowed for a client-independent portable email front.

What was going on was that a phishing page was asking for the users’ email and password but this would trigger the software’s two-factor authentication routine. But the user interface was “steered” via a fake page asking for the one-time password that the user would transcribe from their mobile phone which would receive this value via text messaging. It then led to the creation of an app password, typically used for third-party apps to use the service, but was used by the hacker to sustain control of the user’s email account.

Oh yeah, there was the SSL authentication which would show a “green padlock” icon on the user’s Web browser, making the user think that they were safe. But the phishing that took place was facilitated using fake domain names that sounded and looked like the real domain names.

This loophole exploited the use of the “intact key” or “green padlock” symbol in a Web browser’s user-interface to indicate that the SSL certificate was intact and that the interaction with the Website is safe thanks to HTTPS. But users may not know they are with the wrong Website, which is the breeding ground for phishing attempts.

The other weakness that was called out was the requirement for end-users to transcribe the one-time password from an SMS message, software token app or hardware token in order to phish the account. This was aggravated through the use of an app password to allow third-party app access to the service. What is being preferred as a secure 2FA solution was a security key kept in the possession of the end-user that connects to the user’s host device via USB, Bluetooth or NFC.

Most of us can easily relate this process to using an ATM to take cash out of our account or a payment terminal to pay for goods or services using our plastic cards. Here, to facilitate the transaction, you have to present your card by inserting it in or touching it on an identified spot on the ATM or payment terminal then enter your PIN number in to the same machine.

Extended Validation SSL site as identified on Microsoft Edge address bar -

Extended Validation SSL site as identified on Microsoft Edge – notice the organisation’s legal name appearing in green text

The Websites that high-risk end-users rely on can use Extended Validation SSL or Organisation-based SSL certificates and other authentication measures to verify the Website they are visiting is the correct one. Extended Validation SSL has a stronger certificate that verifies the organisation it is associated with and implements the strongest encryption available for HTTPS. The user experience here will have a green bar in the browser’s address bar along with the typical padlock icon while the organisation’s legal name is written in the address bar before the URL. The Organisation-based SSL certificate doesn’t have the green bar or text on the user interface but lists the organisation’s legal name in the address bar. But some browsers like recent Chrome versions don’t implement the green highlighting of the legal name for EV SSL certificates.

This also includes the organisations keeping tabs on their Internet “real estate” of domain names to identify typosquatting risks and, perhaps, make further “land grabs” of domain names if they can afford it.  This is in conjunction with efforts like what Amnesty International were doing with Protonmail and Tutamota where they are made aware of fake sites and are given legal assistance to take them down.

Then browsers and similar user agents could highlight domain names in a more distinct manner so users can know where they are at. This would be more important with email clients or browsers implemented on “reduced-user-interface” platforms like mobile operating systems. As well, end-users in high-security-risk user groups could be trained to be aware of the domains associated with Websites they are visiting. Mobile browsers pitched to smartphones can also implement a way to show the organisation’s legal name on the user interface such as a caret-identified drop-down interface that comes alive with Organisational Validated or Extended Validated SSL certificates.

Webmail-based user interfaces and similar high-risk online services could move towards use of “transcription-free” two-factor authentication like FIDO-U2F-compliant security keys including software keys run on mobile platforms to provide a secure login user experience.

Similarly, token-based authentication could be the way to go for app-to-service authentication especially as we use native-client software to interact with online services. This avoids the creation of persistent “app passwords” to facilitate native client access to online services. Here I would see this as being important as something to be investigated as part working towards secure client-based email setups, especially as the client-based email provides a platform-native user interface for your email.

Each of these approaches has to be looked at in a manner to work with small and medium organisations who don’t have their own IT staff. This is more so as this class of organisation sees itself as “grown up” when it uses cloud-based line-of-business software. The issue here is to assure that authorised users have secure access to the proper service they are authorised to use.

This situation that Amnesty International raised could also bring forward the idea of non-profit entities that underscore data security for independent media and civil society. Here, it could be about extending and bolstering the Electronic Frontier Foundation’s efforts or building up legal-action funds and lawyer teams to provide legal remedies against cyber-attacks.

What is now being realised is data security has now become a human-rights issue rather than an economic necessity.

Send to Kindle

Germany to set a minimum security standard for home-network routers

Article

Telstra Gateway Frontier modem router press picture courtesy of Telstra

Germany has defined a minimum standard for secure broadband router design

Germany proposes router security guidelines | ZDNet

From the horse’s mouth

BSI (German Federal Office for Information Security)

TR-03148 Secure Broadband Router 1.0 (PDF)

My Comments

It is being identified that network connectivity devices and devices that are part of the Internet-Of-Things are being considered the weakest point of the secure Internet ecosystem. This is due to issues like security not being factored in to the device’s design along with improper software quality assurance when it comes to the devices’ firmware.

The first major incident that brought this issue to the fore was the Mirai botnet attack on some Websites and dynamic-DNS servers through the use of compromised firmware installed in network videosurveillance cameras. Recently in 2016, a similar Mirai-style attack attempt was launched by the “BestBuy” hacker involving home-network routers built by Zyxel and Speedport.There was a large installed base of these routers because they were provided as standard customer-premises equipment by Deutsche Telekom in Germany. But the attempt failed due to buggy software and the routers crashed.

Now the BSI who are Germany’s federal information-security government department have taken steps towards a baseline set of guidelines concerning security-by-design for these home-network routers. It addresses both the Internet-based attacker sithation and the local-network-based attacker situation such as a computer running malware.

Key requirements

Wi-Fi segments

There are requirements concerning the LAN-side private and guest Wi-Fi segments created by these devices. They have to work using WPA2 or newer standards as the default security standard and the default ESSIDs (wireless network names) and Wi-Fi passphrases can’t relate to the router itself like its make or model or any interface’s MAC address.

As well, guest Wi-Fi and community / hotspot Wi-Fi have to be treated as distinct separate logical networks on the LAN side and they have to be “fenced off” from each other. They will still have access to the WAN interfaces which will be the Internet service. The standard doesn’t address whether these networks should implement client-device isolation because there may be setups involving a requirement to discover printers or multimedia devices on these networks using client software.

Router management

The passwords for the management account or the Wi-Fi segment passphrases have to be tested against a password-strength algorithm when a user defines a new password. This would be to indicate how strong they are, perhaps through a traffic-light indicator. The minimum requirement for a strong password would be to have at least eight characters with at least 2 each of uppercase, lowercase, number and special characters.

For the management account, there has to be a log of all login attempts along with lockout-type algorithms to deter brute-force password attacks. It would be similar to a code-protected car radio that imposes a time delay if the wrong passcode is entered in the radio. There will be an expectation to have session-specific security measures like a session timeout if you don’t interact with the management page for a certain amount of time.

Other requirements for device management will include that the device management Webpage be only accessible from the main home network represented by the primary private Wi-Fi segment or the Ethernet segment. As well, there can’t be any undocumented “backdoor” accounts on the router when it is delivered to the customer.

Firmware updating

But the BSI TR-03148 Secure Broadband Router guidelines also addresses that sore point associated with router firmware. They address the issue of updating your router with the latest firmware whether through an online update or a file you download to your regular computer and upload to the router.

But it is preferred that automatic online updates take place regarding security-related updates. This will most likely extend to other “point releases” which address software quality or device performance. Of course, the end-user will need to manually update major versions of the firmware, usually where new functionality or major user-interface changes take place.

The router manufacturer will be required to rectify newly-discovered high-severity security exploits without undue delay once they are notified. Here, the end users will be notified about these software updates through the manufacturer’s own public-facing Website or the router’s management page.

Like with most regular-computer and mobile operating systems, the use of software signatures will be required to authenticate new and updated firmware. Users could install unsigned firmware like the open-source highly-functional firmware of the OpenWRT kind but they will need to be warned about the deployment of unsigned firmware on their devices as part of the deployment process. The ability to use unsigned firmware was an issue raised by the “computer geek” community who liked to tinker with and “soup up” their network hardware.

Users will also need to be notified when a manufacturer ceases to provide firmware-update support for their router model. But this can hang the end-user high and dry especially if there are newly-discovered weaknesses in the firmware after the manufacturer ceases to provide that software support.

The standard also places support for an “anti-bricking” arrangement where redundant on-device storage of prior firmware can exist. This is to avoid the router from “bricking” or irreversibly failing if downloaded firmware comes with software or file errors.

Other issues that need to be addressed

There are still some issues regarding this standard and other secure-by-design mandates.

One of these is whether there is a minimum length of time for a device manufacturer to continue providing security and software-quality firmware updates for a router model or series after it is superseded. This is because of risks like us purchasing equipment that has just been superseded typically to take advantage of lower prices,  or us keeping a router in service for as long as possible. This may be of concern especially if a new generation of equipment is being released rather than a model that was given a software-compatible hardware refresh.

Solutions that could be used include open-sourcing the firmware like what was done with the Linksys WRT-54G or establishing a known-to-be-good baseline firmware source for these devices while continuing to rectify exploits that are discovered in that firmware.

Another is the existence of a logo-driven “secure-by-design” campaign directed at retailers and the general public in order to encourage us to buy or specify routers that are compliant to this standard.

An issue that needs to be raised is whether to require that the modem routers or Internet-gateways supplied as standard customer-premises-equipment by German ISPs and telcos have a “secure-by-design” requirement. This is more of an issue with Internet service provided to the average household where these customers are not likely to fuss about anything beyond getting Internet connectivity.

Conclusion

The BSI will definitely exert market clout through Europe, if not just the German-speaking countries when it comes to the issue of a home network that is “secure by design”. Although the European Union has taken some action about the Internet Of Things and a secure-by-design approach, they could have the power to make these guidelines a market requirement for equipment sold in to the European, Middle Eastern and African areas.

It could also be seen by other IT bodies as an expected minimum for proper router design for home, SOHO and SME routers. Even ISPs or telcos may see it as an obligation to their customers to use this standard when it comes to specifying customer-premises equipment that is supplied to the end user.

At least the issue of “secured by design” is being continually raised regarding home-network infrastructure and the Internet Of Things to harden these devices and prevent them from being roped in to the next Mirai-style botnet.

Send to Kindle

HP to start a bug bounty program for its printer firmware

Articles

HP OfficeJet 6700 Premium multifunction printer

HP to implement a bug bounty program to assure high-quality secure firmware for their printers like thisi OfficeJet.

HP Becomes the First Printer Maker to Launch a Bug Bounty | Tom’s Hardware

HP Launches $10,000 Bug Bounty for Printers | ExtremeTech

My Comments

Over the last few years, dedicated-function devices like printers, videosurveillance cameras, routers and the like have been identified as a weak point when it comes to data security.

This has been highlighted through some recent cyberattacks like the Mirai botnet attack which was driven by dedicated-function devices like videosurveillance cameras running compromised firmware along with recent security exploits associated with home and SOHO routers being able to run compromised firmware. There is also the fact that manufacturers are building the same kind of computer power in to these devices as what would be expected from a regular computer through the 1990s or 2000s. There is also the fact that these devices can be seen as an entry point in to a network that handles confidential data or be used as an onramp for a denial-of-service botnet.

Hewlett-Packard have answered the reality of firmware integrated within their printers by starting a bug-bounty program where software developers, computer hackers and the like are paid to “smoke out” bugs within this firmware. Then this leads to meaningful software updates and patches that are sent out to owners of these devices, typically through an automatic or semi-automatic installation approach. It is a similar practice to what Microsoft, Apple and others are working on to make sure that they are running high-quality secure operating-system and application software.

This has been seen as of importance for printers targeted initially at the enterprise market because they would be processing significant amounts of company-confidential data in order to turn out company-confidential documents. But this approach would have to apply to home, SOHO and small-business machines as well as the larger workgroup machines found within the enterprise sector. This is because these kind of machines can be used by people working at or running a business from home along with those of us in charge of small businesses or community organisations.

By HP setting an example with their printer firmware, it could become a standard across other vendors who want to maintain a culture of developing high-quality secure firmware for their dedicated-function devices. This is more so as the consumer and enterprise IT market raises expectations regarding the software quality and security that affects the devices they use.

Send to Kindle