Category: Data security

Article

You can also manage your interactions with the Harman-Kardon Invoke speaker here

How to delete your voice data collected by Microsoft when using Cortana on Windows 10 | Windows Central

My Comments

Previously, I posted an article about managing what Amazon Alexa has recorded when you use an Amazon Echo or similar Alexa-compatible device.

Now Microsoft has a similar option for Cortana when you use it with Windows 10. This is also important if you use the Harman-Kardon Invoke smart speaker, the Johnson Controls GLAS smart thermostat as long as they are bound to your Microsoft account.

Manage your Microsoft Account (and Cortana) from Windows 10 Settings

In most instances such as your computer, Cortana may be activated by you clicking on an icon on the Taskbar or pressing a button on a suitably-equipped laptop, keyboard or other peripheral to have her ready to listen. But you may set her up to hear the “Hey Cortana” wake word to listen to you. This may be something that a Cortana-based smart device may require of you for expected functionality when you set it up.

This may be a chance where Cortana may cause problems with picking up unwanted interactions. But you can edit what Cortana has recorded through your interactions with her.

Here, you go in to Settings, then click on Accounts to open the Accounts screen. Click on Your Info to which will show some basic information about the Microsoft Account associated with your computer.

Privacy dashboard on your Microsoft Account management Website

Click on “Manage My Microsoft Account” which will open a Web session in your default browser to manage your Microsoft Account. Or you could go directly to https://account.microsoft.com without needing to go via the Settings menu on your computer. The direct-access method can be important if you have to use another computer like a Mac or Linux box or don’t want to go via the Settings option on your Windows 10 computer.

Click here for your Cortana Voice interaction history

You will be prompted to sign in to your Microsoft Account using your Microsoft Account credentials. Click on the “Privacy” option to manage your privacy settings. Then click on the “Activity History” option and select “Voice” to view your voice interactions with Cortana. Here, you can replay each voice interaction to assess whether they should be deleted. You can delete each interaction one by one by clicking the “Delete” option for that interaction or clear them all by clicking the “Clear activity” option.

Details of your voice interactions with Cortana

Your management of what Cortana has recorded takes place at the Microsoft servers in the same vein to what happens with Alexa. But there will be the disadvantage of Cortana not having access to the false starts in order to use her machine learning to understand your voice better.

These instructions would be useful if you are dealing with a Cortana-powered device that doesn’t use a “push-to-talk” or “microphone-mute” button where you can control when she listens to you.

Personal and business Internet users are showing interest in the concept of secure email. This is to assure that confidential emails only end up being viewed by the eyes of their intended recipients.

It is being driven by issues relating to confidential personal and business information being leaked to the Web along with a common personal worry regarding government surveillance in the age of terrorism and extremism. Along with this, activists, journalists and the like are wanting to rely on secure communications to pass through critical information in areas that are hostile to freedom of speech and the press. In some cases, people travelling through countries known to be hostile to freedom of speech like Russia and China have been encouraged to keep their data highly secure due to the espionage taking place in these countries.

More work needs to be done on secure email

There is a slow increasing prevalence of secure email platforms appearing on the Web. These platforms such as the Swiss-based ProtonMail and the secure iteration of Google’s GMail service are dependent on a Web-based user interface. Along with this, most of us are implementing instant-messaging platforms like WhatsApp, Viber and Telegram to send personally-confidential material to each other.

But they offer a series of features intended to assure personal privacy and corporate data security. They offer end-to-end encryption for the emails at rest (while they are on the servers pending delivery) and in transit (while they are being moved between servers). They also offer the ability for users to send seif-destructing emails that don’t stay in the recipient’s or the sender’s storage space after they are read unlike with conventional emails which stay in the user’s storage space after being sent or read. These self-destructing emails cannot even be forwarded to others or printed out (although it could be feasible to take a screenshot of that email and print or forward it). Some of these setups even have the ability to detect screenshots and let the sender know if the recipient took one of a confidential email. As well the metadata about the emails isn’t held on the servers.

But there are current limitations associated with these services. One of these is that the privacy features are only available to users who subscribe to the same email platform. This is because the common standards for secure email such as S/MIME, PGP and GnuPG only support basic key-based encryption and authentication abilities and the common email protocols like IMAP and POP3 don’t support email-handling control at the message level. As well, these services rely on a Webmail interface and require users to click on links sent as part of standard emails to view the secure messages if they aren’t part of that system.

There are certain features that need to be added to IMAP4 to allow for secure email handling. One of these is to permit message-level email control to permit self-destructing emails and to allow the sender to limit how the recipient can handle the messages. But the message-control features may run against legal-archive and similar requirements that will be asked of for business correspondence. In this situation, there may be the ability to indicate to senders or recipients if the emails are being archived as a matter of course and message-level email control can’t be assured.

Of course this may be about a newer feature-level email standard, preferably open-source or managed by many in computing academia and industry, to add this kind of secure email control.

Then there is the requirement to encourage the use of encrypted-email / authenticated-email standards like S/MIME or PGP within email endpoints, both Web-based and client-based. It will also include the ability for users to create asymmetrical key pairs and store their correspondents’ public keys in their contact manager software. There will also have to be the ability to support automated public-key discovery as a new contact is added, something currently feasible with encrypted messaging platforms that maintain their own contact directory.

Other questions that will come up in the course of building a secure email ecosystem is how the encryption keys are stored on the end-user’s system and whether an end-user needs to create new encryption keys when they change devices along with how to store them securely. This can be of concern with most computer users who typically maintain multiple devices, typically a smartphone along with a regular desktop or laptop computer and / or a tablet of the iPad ilk. Similarly there is the fact that one may not have the same computing device for the long haul, typically due to replacing one that has broken down or upgrading to a better-performing device.

There will also have to be the issue of security and portability thanks to issues like users temporarily using different computer devices such as friends’ computers, work / school computers or public computers. Here, it may be a question about where contact-specific encryption keys are held, whether on a server or on removable media along with how email sessions are handled on these temporary setups.

What will need to happen is for email platforms to support various secure-messaging features in a manner that can exist on a level playing field and without the need for correspondents to be on the same provider.

Article

You can find out what Amazon Alexa has recorded through your Echo device

How To Find Out What Your Alexa Is Recording | Lifehacker

My Comments

Recently, the computer press went in to overdrive about an Amazon Echo setup that unintentionally recorded and forwarded a family’s private conversation and forwarded it to someone in Seattle. Here, the big question that was asked was what was your Amazon Echo or similar smart speaker device recording without you knowing.

Amazon Echo, Google Home and similar voice-driven home-assistant platforms require a smart speaker that is part of the platform to hear for a “wake word” which is a keyword that wakes up these devices and has them listening. Then these devices capture and interpret what you say after that “wake word” in order to perform their function. One of the functions that these devices may perform is audio messaging where they could record a user’s message and pass that message on to another user on the same platform.

I had previously covered the issue of these voice-driven assistants being at risk of nuisance triggering including mentioning about the XBox game console supporting a voice assistant that triggered when an adman on a TV commercial called out a spot-special for the games console by saying “XBox On Sale” or “XBox On Special”.

Here, I recommended the use of a manual “call button” to make these devices ready to listen when you are ready or a “microphone mute” toggle to prevent your device being falsely triggered. As well, I recommended a visual indicator on the device that signals when it is listening. This is a practice mainly done with voice-assistant functionality that is part of a video peripheral’s feature set or software that runs on a platform computing device. Google’s Home smart speaker instead uses the microphone-mute button to allow you to control its microphone.

But you can check what Alexa has been recording from your Amazon Echo or other Alexa-compatible speaker device and delete private material that she shouldn’t have captured. This is also useful if you are troubleshooting one of these devices, identifying misunderstood instructions or are developing an Alexa Skill for the Alexa ecosystem.

1. Here you launch the Amazon Alexa mobile-platform app on your smartphone. If you are using the Amazon Alexa Website (http://alexa.amazon.com) as previously mentioned on this site, there is a similar procedure to go about identifying your Amazon Echo sessions.
2. Then you tap on the hamburger-shaped “advanced operation” icon on the top left of your screen.
3. Tap on Settings to bring up a Settings menu for your setup. Go to the History option in the Alexa Account section of that menu.
4. Here, you will see a list of interactions with any Alexa-ecosystem hardware or software front-end related to your Amazon account. These will be categorised by what has been understood and what hasn’t been understood. There is an option to filter the interaction list by date, which is handy if you have made heavy use of your Amazon Echo device through the months and years.

You can play each interaction to be sure of what your Alexa device or software has recorded. With these interactions, the current version of the interface only allows you to delete each unwanted interaction on by one. The effect of the deletion is that the interaction, including the voice recording, disappears from your account and the Amazon servers. But this could degrade your Amazon Alexa experience due to it not having much data to work on for its machine-learning abilities.

Here, at least with the Amazon Alexa ecosystem, you have some control over what has been recorded so you can remove potentially-private conversations from that ecosystem.

Video – Click or Tap to View

My Comments

This video has summarised in an “ABC” form about how you can deal with unsavoury videos and comments that appear on the YouTube platform. But a lot of concepts being explained here can also apply to Facebook and other platforms on the Social Web where similar activity does take place.

The issues raised here can easily affect children, teenagers and adults alike in all community groupings and is more important where, for example, YouTube is being used to effectively pillory a person or group. It is infact worth viewing this video yourself or having your children view this especially when they are regularly starting to use YouTube or similar social-media platforms regularly.

Article

Google and others back Internet of Things security push | Engadget

My Comments

An issue that is perplexing the personal-computing scene is data security and user privacy in the context of dedicated-function devices including the Internet Of Things. This has lately come to the fore thanks to the KRACK WPA2 wireless-network security exploit which mainly affects Wi-Fi client devices. In this situation, it would be of concern regarding these devices due to the fact that the device vendors and the chipset vendors don’t regularly update the software for their devices.

But ARM Holdings, a British chipmaker behind the ARM RISC microarchitecture used in mobile devices and most dedicated-function devices has joined with Google Cloud Platform and others to push for an Internet-Of-Things data security platform. This is very relevant because the ARM RISC microarchitecture satisfies the needs of dedicated-function device designs due to the ability to yield greater functionalities using lean power requirements compared to traditional microarchitecture.

Here, the effort is centred around open-source firmware known as “Firmware-M” that is to be pitched for ARMv8-M CPUs. The Platform Security Architecture will allow the ability for hardware / software / cloud-system designers to tackle IoT threat models and analyse the firmware with a security angle. This means that they can work towards hardware and firmware architectures that have a “best-practice approach” for security and user-friendliness for devices likely to be used by the typical householder.

There is still the issue of assuring software maintenance over the lifecycle of the typical IoT and dedicated-function device. This will include how newer updated firmware should be deployed to existing devices and how often such updates should take place. It will also have to include practices associated with maintaining devices abandoned by their vendors such as when a vendor ceases to exist or changes hands or a device reaches end-of-life.

But at least it is another effort by industry to answer the data-security and user-privacy realities associated with the Internet Of Things.

A wireless router set up in the ordinary way as a base station or hub for your home network isn’t at risk of the KRACK exploit

The computing press has been awash with articles regarding a recently-discovered security vulnerability that affects Wi-Fi wireless networks. This vulnerability, known as KRACK, compromises the authentication process associated with the WPA2 security protocols that most Wi-Fi home and business networks implement.

What is affected

But it mainly affects client devices like laptops, smartphones and the Internet of Things which connect to Wi-Fi networks using WPA2 facilitated through software that isn’t patched against this risk.

It also can affect Wi-Fi infrastructure devices that serve as a repeater or client-side bridge in a Wi-Fi wireless network segment – this encompasses Wi-Fi client bridges used to connect desktop computers or smart TVs equipped with Ethernet connectivity to a Wi-Fi network, Wi-Fi repeaters, distributed-Wi-Fi setups and mobile devices implementing “bridge-to-Wi-Fi” functionality.

Data security risks

The security and privacy risk occurs at the media level of your network connection which would represent the Wi-Fi wireless link to the access point / router.

If you use higher-level encryption protocols like gaining access to Internet resources through SSL / TLS encryption which includes “https” Webpages, implementing a client-based VPN or using IP telecommunications apps that implement end-to-end encryption, you have reduced the risk factor for your data security that the KRACK vulnerability poses. Access to LAN-based resources like your NAS or printer from within your network can be a risk with Wi-Fi clients that aren’t patched to mitigate this risk as with unencrypted Internet resources.

Current remediation efforts

This situation has been rectified for regular computers running Windows 7 onwards through a patch that Microsoft rolled out as part of the October 10 security update. Here Microsoft didn’t disclose this vulnerability until there was a chance for all of industry to have patches in beta testing or “ready to roll”.

Just lately (1 November 2017 AEDT) Apple released patches for MacOS High Sierra, Sierra and El Capitan versions; and iOS 11.1 (iPhone 7 onwards, iPad Pro 9.7″ (2016) onwards); tvOS 11.1 (4K Apple TV onwards) and watchOS 11.1 to address this issue.  The Intego Mac Security Blog post that I culled these details from was miffed about the fact that the large number of iPhone 6 and earlier devices that are still in operation have not been addressed. I would also extend this concern to the older iPad and iPod Touch devices that are also in operation such as those iPod Touches the kids use or the iPad in your living room.

On December 2 2017 US PT, Apple released the iOS 11.2 update which provided this protection for iPhone 5S, iPhone SE and all model variants of the iPhone 6. This update also applies to the 12.9″ iPad Pro (1st generation), the iPad (6th generation), the iPad Air, the iPad Mini 2 onwards; and the iPod Touch (6th generation).

Other regular-computer and mobile operating systems are being updated with security patches that are coming online through the next two months or are already online.

There will also be various pieces of client-side security software that will be updated with extra code that provides extra defence against the KRACK Wi-Fi vulnerability for both the software and the host computer.

The devices you will find as having a strong risk factor for your network are “dedicated-purpose” network devices like Internet AV devices, “smart-home” devices, videosurveillance cameras and the like that don’t benefit from regular firmware updates. This will mainly affect those devices that manufacturers are declaring “end-of-support” on or a lot of “white-box” devices sold by multiple vendors. But check your devices’ manufacturers’ Websites for new firmware that will patch the device against this vulnerability.

This will not affect the typical home or other small network that is based around a wireless router. Nor will it affect networks that implement multiple Wi-Fi access points connected to a wired (Ethernet or HomePlug) backbone. This is because you are dealing with devices that serve as a Wi-Fi base station for that particular wireless network segment.

But if you have Wi-Fi infrastructure devices using some sort of repeater or bridge functionality, check with the vendor for a firmware update for your device.

As well wireless router and access-point manufacturers, especially those courting the business and allied markets, will offer newer firmware to harden their devices against the KRACK vulnerability.

Remember that well-designed devices will implement at best an automatic software-update process or you may have to visit your device’s Settings, Setup or Configuration menu to download new firmware.

As well, the Wi-Fi Alliance have updated their certification tests for network hardware to be sure that such hardware isn’t vulnerable to this risk. These certification tests will be required before a product can show the Wi-Fi Certified logos and will affect products being introduced from this month onwards.

Keeping your network secure until new software is available

If you run Wi-Fi network infrastructure hardware that implements repeater or bridge functionality, disable the Wi-Fi client mode or repeater mode on these devices until your device is running firmware hardened against this vulnerability.

The HomePlug powerline adaptor can help with mitigating risks associated with the KRACK WPA2 Wi-Fi network vulnerability

You may also have to set up your home network with multiple access points linked to a wired backbone as the preferred way to extend the network’s coverage or reach to another building as has been done with this man-cave. A good example of this is to use a HomePlug wireless access point kit which uses your home’s AC wiring for this purpose. If you use a “Mi-Fi” mobile router that supports Wi-Fi data offload, disable this functionality until it is loaded with the latest secure firmware.

Similarly, use a wired network connection such as Ethernet or HomePlug to connect sessile devices like desktop computers, Smart TVs, printers and the like to your home network. This may not be feasible with those devices that only support Wi-Fi connectivity as their network-connection option.

Conclusion

You can mitigate the risk of the KRACK WPA2 Wi-Fi network vulnerability as long as you keep your computer equipment running software that is patched with the latest security updates.

If you use Wi-Fi infrastructure devices that work as a Wi-Fi client like repeaters or client bridges, these have to be updated with the latest firmware from their vendor. As well, use of wired backbones and access points for expanding your home network’s coverage will achieve the proper level of security against this risk if you are dealing with client-capable Wi-Fi infrastructure devices that aren’t updated with the latest software.

Let’s not forget that higher-level encryption protocols like SSL or client-side VPNs do mitigate the risk of data theft through this vulnerability.

Updated (1 November 2017 AEDT) to reflect the latest concerning what is happening with the Apple platforms.

Updated (11 December 2017 AEDT) to reflect the increased number of iPhones and iPads protected against the KRACK exploit by the iOS 11.2 update

Article

Check that your driver software is up to date on these HP business laptops.

HP issues fix for ‘keylogger’ found on several laptop models | ZDNet

Keylogger Found in Audio Driver of HP Laptops | BleepingComputer

From the horse’s mouth

Hewlett-Packard

Download site – identify your computer’s model number in the form on this site to obtain a list of the relevant software

My Comments and further information

Just lately, a security weakness had been found in the Conexant HD Audio driver software that was delivered to a large number of recently-issued HP business-tier laptop computers. It may also affect some of their consumer-focused laptops that run this driver. Let’s not forget the reality that some of you may have one of the affected HP business laptops as a consumer-tier computer, perhaps due to buying an ex-lease or surplus unit. This weakness affects driver versions 10.0.46 and prior versions.

The problem manifests with the MicTray64 program that comes with this software package. Here, it is a keyboard monitor that listens for particular keystrokes in order to allow the user to control the computer’s integrated microphone. But, thanks to debug code being left in the production release of this software, the software becomes a keylogger, writing keystrokes to a cleartext logfile (MicTray.log) in the Users\Public folder on the computer’s system drive.

But what is a monitor program for those of you who want to know? It is a program that “listens” to activity from or to a peripheral for a particular event then instigates a pre-defined activity when a particular event occurs. In most cases, you see these programs in operation when you use a printer or scanner with your computer and they show up a print-job status message when you print or catch scan jobs you started from your scanner’s control surface.

If you have this version of the Conexant HD Audio driver software on your HP business laptop, you may have to use Task Manager to kill the MicTray64 keyboard-monitor process, as well as removing it from the Scheduled Tasks list. It may also be worth moving the MicTray64.exe file out of the Windows\System32 folder and the MicTray.log file out of the Users\Public folder on the system disk to somewhere else on your computer’s file system and see if the computer is still stable and, if so, delete those files.

An update that rectifies this problem has been made available on the HP.com driver download site but should also be made available through Windows Update. This will be available on Wednesday 10 May 2017 (US Pacific Time) for those machines made since 2016 and on Friday 12 May 2017 (US Pacific Time) for systems made during 2015.

HP may have software installed on these systems to check for newer versions of the software drivers, which may simplify the process of updating your computer’s drivers and firmware.

This is endemic of a situation where driver software and system firmware is rushed out the door without being checked that it is production-ready and good-quality software. This software ends up as part of the distribution software image that comes with newer computer equipment, including appearing on the recovery partition of your computer’s system disk.

A good practice is to regularly check your computer manufacturer’s Website for newer drivers and firmware for your computer at regular intervals and install this software. This practice will allow you to have a computer that runs in a more secure and stable manner, perhaps gaining some extra functionality that answers current requirements along the way.