Data security Archive

Popular Internet-based communications platforms to be secure

WhatsApp Android screenshot courtesy of WhatsApp

WhatsApp – the pioneer for security-focused online communications for consumers

Some of the popular over-the-top messaging and VoIP platforms are being equipped for personal privacy and security.

This was a feature typically pitched at high-stakes business users but is now being pitched at everyday consumers thanks to the saga occurring in the USA between FBI and Apple where the FBI were wanting the encrypted data held on a suspect’s iPhone.

At the moment, WhatsApp and Viber are offering secure-communications features but this could be rolled out by other messaging/VoIP/videocall platform vendors like Skype, Facebook or Apple. For that matter, WhatsApp have recently made their platform from a subscription-funded platform to a free-to-user platform. They will continue to raise money by offering business-focused WhatsApp communications services.

Platform-wide best-case encryption by default

One of the main features is platform-wide end-to-end encryption which is implemented to “best-case standards” by default.

This means that the data that represents your calls and messages is encrypted by the end devices. Along with that, the user’s public and private keys associated with the encryption algorithm don’t stay on the company’s servers, thus not being at risk of a subpoena or other court order or government mandate. Rather, these are created by the end-user’s device and kept there.

The reference to “best-case” operation in this situation is that if the users are communicating with the latest version of the software that supports newer encryption algorithms, these algorithms are used for the encryption process. This even applies to group conversations where the “best-case” encryption method is implemented if all the correspondents are using the client apps that support that algorithm.

Authentication of contacts and their devices

As part of key exchange between contacts, there is an emphasis on authenticating one’s contacts with some systems like WhatsApp preferring a “face-to-face” method or others like Viber requiring you to read and confirm a password during a call. The former method that WhatsApp implements is for you to scan a QR code

Here, this is about whether you are really talking with the user on their device, in order to circumvent situations like lost or stolen phones, users installing their SIM cards in different devices and “man-in-the-middle” attacks. It was highlighted in Graham Cluley’s blog article about improving your security with WhatsApp.

This will typically be highlighted through the use of an indicator in your contact list that shows if a contact has been authenticated or if they have switched devices.

Concealed text/image conversations

Viber - Hide This Chat

Viber with its ability to conceal a conversation

Viber introduced to their platform the ability for one to conceal a text/image conversation which can come in handy if you are exploiting their functionality to use tablets or regular computers as endpoints for Viber conversations.

Here, you can conceal the conversation so that others cannot see it unless they enter a user-set PIN or password. Situations where this can be necessary could include an innocuous activity like arranging that surprise event through a personal conversation held in a workplace to a traveller who leaves their iPad in their hotel room which can easily be visited by Housekeeping staff.

On the other hand, you could be able to specify whether a text/image chat is to be kept on each other’s devices or to disappear like what has been valued with Snapchat.

Features that could surface in the name of security

As other online-communications platforms jump on to the secure-communications bandwagon, there could be the rise of different features or variations on the above features.

For example, a communications-platform client could implement client-level user authentication where the software can be set up to require the user to log in to the client to start a conversation. Or the primary communications device like the smartphone has to be near a secondary communications client like a laptop before the user can run the software. This feature may be considered of importance with tablets and regular computers likely to be used by other users.

To some extent, an operating system that implements multiple-user operation could allow an online-communications client to switch user profiles and phone numbers so it works totally personally to the user.

There could be the ability for a user to mandate device-level authentication or encryption before a conversation takes place with a contact. This could allow for one to be sure they are talking to the right correspondent.

Other methods of verifying contacts and devices could surface such as the use of NFC “touch-and-go” or Bluetooth data exchange as a way of authenticating users’ devices. The software could also exploit other hardware or software “secure elements” like Trusted Platform Modules as an alternative to SIM cards for Wi-Fi-only tablets or regular computers.

This could even extend to such things as “trusted networks” or “trusted locations” where your caller can know that you are talking privately, based on factors like wireless-network parameters or proximity to particular Bluetooth devices.

Conclusion

What is now happening is that secure online conversations, once a feature that was enjoyed by big business and government, is now becoming available to every individual in the street for free. This allows them to have online conversations without being eavesdropped upon.

Send to Kindle

USB.org to introduce authentication in to the USB Type-C platform

Article

The USB Type-C connection will now be able to be authenticated irrespective of vendor

The USB Type-C connection will now be able to be authenticated irrespective of vendor

New USB Type-C Authentication spec can stop faulty cables before they do damage | Windows Central

From the horse’s mouth

USB.org

Press Release (via BusinessWire)

My Comments

Increasingly the USB connection standard has shown up a need to verify or authenticate device connections on a hardware level. Initially Apple had engaged in this practice with their iOS devices that use the Lightning connector to make sure that properly licensed Lightning cables are used with these devices. But there have been other reasons that this kind of authentication is needed.

One of the reasons was the existence of fake charging devices that are typically installed in public locations. These espionage tools look like plug-in AC chargers or “charging bars”  but are really computing devices designed to harvest personal and corporate data from visitors’ smartphones and tablets. The mobile operating systems have been worked to address this problem whether through asking users what role the mobile device plays when it is connected to a host computing device or whether you trust the host device you connect your mobile device to it.

But there has also been concern raised about ultra-cheap USB Type-C cables, typically Type-A adaptor cables, that aren’t wired to standard and could place your laptop, smartphone or tablet at risk of damage. In this case, users want to be sure they are using good-quality properly-designed cables and power-supply equipment so that their devices aren’t at risk of damage.

The USB implementers Forum have established a connection-level authentication protocol for USB Type-C connections. This implements some of the authentication methods used by Apple for their Lightning connection to verify cables along with the ability to verify the devices that are on the other end of a USB Type-C connection.

For example, a traveller could rectify the “fake charger” situation by setting their mobile gadgets only to charge from certified USB Type-C chargers. Similarly, a business can use low-level authentication to verify and approve USB storage devices and modems to the computers under their control are connected to in order to prevent espionage and sabotage. Vehicle builders that supply software updates for their vehicles to rectify cyberattacks on vehicle control units can use this technique as part of their arsenal for authenticating any of these updates delivered to customers via USB sticks.

What needs to be established is that the USB interface chipsets installed on motherboards and other circuit boards need to be able to support this kind of authentication. Similarly, operating systems and device firmware would need to support the low-level authentication in order to reflect the user’s choice or company’s policy and communicate the status concerning USB Type-C devices properly to the end-user.

At least it is an industry-wide effort rather than a vendor-specific effort to verify and authenticate USB devices at the electrical-connection level rather than at higher levels.

Send to Kindle

Spear-phishing doesn’t necessarily involve links or attachments

Article

Snapchat, Seagate among companies duped in tax-fraud scam | Mashable

My Comments

Compose Email or New Email form

Spear-phishing email doesn’t necessarily have to have links or attachments

An issue that has come to highlight lately is spear-phishing where an email is sent to particular departments within a business to extort critical financial or other information from that business.

This recently happened to a number of American businesses including Snapchat and Seagate where the human-resources departments were told in an “official manner purporting to be from the CEO” to turn out W-2 tax forms about their employees.

For those of you in countries other than the USA, this is a statement provided by your employer which states what you earned including the taxes that are withheld and would be known as a P60 in the UK and Ireland or a Group Certificate in Australia. When in the wrong hands, these statements can be a goldmine of data that can be useful for identity theft and tax fraud.

But this may be different from a garden-variety spear-phish attack because there isn’t a requirement to visit a Website via a link or open an attachment that comes with the email. Rather this is to prepare the information in a specified computer-file format to be sent as an attachment with the email’s reply.

What was highlighted was that the spear-phish email used the look of official company correspondence such as use of the company’s trade dress (logos, colour scheme, typography) and disclaimers associated with such correspondence. As well, such emails appear to come from someone high up in the business. The spear-phishers were able to identify “who’s the boss” by performing Google or LinkedIn searches and this data could simply be found on “About Us”, shareholder-information or similar pages on a company’s public-facing Website. Such correspondence also can surface at certain seasons like holiday seasons, tax-filing seasons or special events.

This is a classic form of social engineering in the business and the staff were caving in to human error and weren’t vigilant. Here, if they see an email with an important request coming from their boss, they would follow up on this request forthwith as expected for business life. This is similar to the classic distraction-burglary or burglary-artifice scam where a householder is under pressure to let people who look like officials in to their home and these bogus officials commit crimes against the household. It can also affect small businesses as well as larger businesses and organisations, because such a request could also come from the business’s owner, a franchisor (in the case of franchised businesses) or someone who is higher up in the business’s food chain.

A similar scam which is known as “whaling”, targets business owners, managers and other known organisational figureheads with email purporting to come from partners, suppliers / service-providers like your landlord or officials such as the taxman or the Trading-Standards officials. It has the same effect as spear-phishing where you are subject to trickery to divulge sensitive information. This situation can affect businesses and organisations of all sizes from the small pizza shop on the corner to the large business in town.

The red flags to be aware of with spear-phishing or whaling are: is the request out of the ordinary whether for your business or for normal business practice; whether the domains for “reply” or “origin” email addresses match the known domains for the business;  or whether the writing style reflects the purported sender’s style or the accepted norms for business correspondence in the locale.

But most importantly, verify the facts from the horse’s mouth. This means sending a separate email to the proper source at the address you know them to be at or, preferably, making a phone call to check those facts. It is more important if the request happens to come “out of the blue”.

As well, be wary of out-of-the-ordinary correspondence you receive by email around the critical occasions like tax time.

Once you know what is in the norm for your organisation and industry, you should then rely on your “sixth sense” to identify if something is suspicious and report it straightaway.

Send to Kindle

Another router answers the needs for a secure home network

Article

eero: A Mesh WiFi Router Built for Security (Product Review) | Krebs On Security

My Comments

A common issue raised in relation to home-network routers is that they aren’t really designed for security. It applies more to the equipment that is sold through the popular retail locations like the electronics chains.

This is due to issues like firmware that isn’t always kept up to date along with an insecure “out-of-box” management-console login experience. The latter situation manifests typically in the form of a default username and password that is common across a product range rather than unique to each device.

The eero router which is effectively a Wi-Fi mesh system has answered these issues courtesy of the following: firmware that is updated automatically and a secure-setup routine based around an enabling code sent to your phone. The former method has been practised by AVM with their latest firmware for the Fritz!Box routers with these devices automatically updating. The latter method has been practised through the use of a mobile-platform app where you enter your name, email address and mobile phone number. This requires you to receive a one-time password from your smartphone by SMS. You enter this to the mobile app before you determine your home network’s ESSID and passphrase.

This kind of login experience for the management Web page could be very similar to a well-bred two-factor authentication routine that comes in to play for some online services whenever you add another device or, in some cases, as you log in. Here, the FIDO U2F standard or support for Google Authenticator could be implemented in a router to permit secure login to the management page.

As for Wi-FI implementation, this router implements a proprietary mesh technology with each extender implementing separate radio transceivers for both the backhaul link and the client-side link. This allows for full bandwidth to be served to the Wi-Fi client devices. Each router device also has two Ethernet ports with one of those being configured for WAN (Internet) connection. Personally, I would like to see both ports switch to LAN mode on an eero router if it is serving as a repeater. This would earn its place with video peripherals, printers or desktop computers.

What I see of this is a step in the right direction for improved security for small networks and other manufacturers could learn from eero and AVM in working on a secure setup routine along with automatically-updated firmware.

Send to Kindle

XBox One joins the Microsoft world for blind updating on Patch Tuesday

Article

XBox One games console press image courtesy Microsoft

Now can be updated every Patch Tuesday

Hello XBox, Welcome To Patch Tuesday | Supersite For Windows

My Comments

Due to a very strong security reality, the IT industry ins pushing a requirement for companies who make dedicated-purpose devices like games consoles and network infrastructure devices to have a continual software-revision process.

This is involving a requirement to develop and deliver software updates and patches as soon as they are aware of any bugs and security exploits. The preferred installation for these updates is to have a totally hands-off approach that occurs whenever the device is connected to the Internet.

This is becoming more important not just to protect games software against piracy, but to protect users’ privacy especially as games consoles are being capable of working with cameras and microphones and being part of online-gaming ecosystems where players’ details are being hosted online or on the device’s secondary storage. Similarly these devices are being part of the online-entertainment and home-network ecosystem which gives them access network-connected devices and online services.

Microsoft has extended the approach they have with the Windows platform and brought the XBox One games console in to the software-update rhythm that is known as “Patch Tuesday”. This is where Microsoft delivers all the software updates and patches for the Windows platform on the second Tuesday of every month rather than on an ad-hoc pattern. It creates a level of predictability when it comes to keeping your computer’s operating software up-to-date and in most home and small-business setups, it is effectively a hands-off “blind update” but may require a computer to be restarted.

It is part of running XBox One on a Windows 10 codebase which will expose it to the same kind of vulnerabilities as a “regular” computer. As well, the XBox One will also end up being one of the platforms covered by Microsoft’s bug-bounty programs where computer users are paid to “smoke out” bugs in their computer software. This places importance on having operating software that is kept regularly patched and updated. It also shows that games consoles, like other computing devices can be vulnerable to bugs that can expose security weaknesses or can be vulnerable to “zero-day” security exploits that aren’t discovered by the software developer.

What could this eventually mean for software updating as far as games-consoles and similar devices go? This could put the pressure for manufacturers to develop a continual software-update rhythm including bug-bounty / vulnerability-reward programs and even push for longer software life cycles.

Send to Kindle

Google makes further efforts against unwanted software

Article – From the horse’s mouth

Google

Year one: progress in the fight against Unwanted Software

My Comments

What has become familiar for me after some computer-support tasks was dealing with unwanted software that uses fraud and deception to have computer users install the programs on their systems. Such software like TubeDimmer typically takes over one’s online experience by serving up ads typically for dodgy businesses, slowing down the user’s computer or sending off the user’s private computer-usage data to questionable entities. In some cases, the software pesters users to download other worthless software or pay for worthless IT services.

There have been some efforts in the computing industry to tackle this problem, most notably MalwareBytes Anti-Malware providing the ability to remove this kind of software. But Google has approached this problem in a multi-faceted manner.

Firstly, they have revised the Safe Browsing API used in Chrome, Android and other browsers and endpoint-security programs that exploit this API to detect the unwanted nuisance software. They also provided an online “cleanup tool” for Chrome to remove ad injectors and similar unwanted extensions from that browser.

On the AdSense and DoubleClick advertising-network front, Google have tuned their Bid Manager which is used for buying advertising space on these networks to filter out chargeable impressions that are generated by the unwanted ad injectors. Similarly, they are disabling ads which appear on these networks but are leading to unwanted-software downloads. These include the ads that show the “Download this” or “Play this” kind of text or artwork without referring to what you intend to download and is augmented by an unwanted-software policy that applies to any advertising that is about software delivery.

If you are “Googling” for software, the Google Search Results screen will highlight links that lead to the delivery of unwanted software or advertised software links.

These efforts have paid off for Google in the form of reduced user complaints about Chrome and other Google client software. There has been increased Safe Browsing alerts regarding unwanted software which has placed a roadblock against this software being installed. Chrome users and personal-IT support personnel have been able to get rid of the unwanted software very quickly and easily.

Now Uncle Sam has joined in the fight against unwanted software downloads

Now Uncle Sam has joined in the fight against unwanted software downloads

But there needs to be further action taking place beyond what is happening in Google’s or Malwarebyte’s offices. Uncle Sam has lent his weight behind this effort with the US Federal Trade Commission classing this unwanted software as a form of malware.

Microsoft could help with this effort by extending their security and software-cleanup tools that work with Windows, Office and Internet Explorer to provide a “one-click remove” option. Similarly Web browsers and endpoint-security software can be part of the effort to slow down the deployment of unwanted software, reduce its effect on the system or simplify its removal.

As well, there needs to be efforts taking place within the online advertising industry to clean up its act.This may involve issues like:

  1. managing the availability of low-risk high-return advertising products like “cost-per-click-only” products that appeal to “fly-by-night” operators;
  2. management and supervision of advertisers, publishers and campaigns;
  3. advertising through client-side software rather than Webpages;
  4. advertising campaigns that lead to software downloads, amongst other issues.

Such issues may have to be dealt with via establishing an industry-wide code of practice and/or use of a “seal-of-approval”. Here, this is to make sure that online advertising has the same level of respect as traditional advertising has amongst advertisers; publishers, broadcasters and advertising-surface providers; and the general public.

Send to Kindle

Another effort towards a more secure home-network router

Linksys EA8500 broadband router press picture courtesy of Linksys USA

A step towards a secure home network from Czech Republic

Article

This crowdfunded router updates its own security | Engadget

From the horse’s mouth

Project Turnis

Home Page

Crowdfunding page (Indiegogo)

My Comments

A constant thorn in the side of the secure-home-network effort is the network-infrastructure equipment. This is more so with the router which stands between the Internet connection and the home network.

There have been issues where the firmware on the typical home-network router hasn’t been updated or is riddled with software exploits and bugs that can make it attractive to cyber-criminals. It is in addition to these devices being configured poorly, typically running “out-of-the-box” default configurations like “admin/admin” management passwords or default ESSID names and passwords for their Wi-Fi wireless-network segments.

AVM took a bold step towards this goal by supporting automatic software updating for their Fritz!Box routers. But now a Czech effort, spearheaded by the Czech Republic’s domain-name registry, has taken place to facilitate an open-source router design that also supports automatic software updates and enhanced networks security.

The Project Turnis effort is based around a multi-computer effort which keeps track of security threats that can affect home and small-business networks and uses this to amend firewall rules to protect your network better.

The router supports Gigabit Ethernet for WAN and LAN connections and 802.11a/g/n dual-band for Wi-Fi wireless LAN connections and can even support USB-based failover functionality with a USB mobile-broadband modem. It also has native IPv6 capability which makes this unit futureproof and able to work with next-generation broadband. There is even a view to have this router designed to work with the Internet Of Things as a hub device or to store data.

All of the software and even the hardware design is open-source with the software being a “fork” of the OpenWRT open-source router firmware effort, which can allow for further examination and innovation. This can lead towards more vendors offering home and small-business routers and gateways that are designed for security which would lead to a breakthrough for an affordable secure Internet service for consumers and small businesses.

The router is also about supporting other “central data server” roles such as being a NAS once coupled with a USB external hard disk or even a DVB-T broadcast-LAN server when DVB-T USB tuner sticks are connected. But I would expect a lot more from these devices like VPN endpoints, public hotspot functionality and the like. Who knows what could come about?

Send to Kindle

Could you end up determining which country your data is held in?

Article

Microsoft will host data in Germany to hide it from US spies | The Verge

My Comments

Edward Snowden has raised a very significant issue concerning the confidentiality and sovereignty of your data when he leaked what went on with the NSA. This has affected how individuals and organisations do business with American-chartered IT organisations like all of Silicon Valley.

But what has happened was that Microsoft took up a new model for setting up data storage which is in the form of a “data trustee”. This model is similar to how a trust fund operates where a third party who is known as a trustee, is tasked to control funds and assets that come in to that fund for the benefit of the recipients.

In this case, Microsoft is setting up data centers in Germany and delegating Deutsche Telekom, a telco entirely chartered in Germany, to control these data-storage facilities as a “data trustee” for them. But the data stored on these facilities will be Microsoft’s and their customers’ data.

Why Germany? Warum Deutschland? This is because Germany, a country which has been passed through some horrible periods of history where big government abused citizens’ privacy in the form of the Third Reich and East Germany, have enacted some of the world’s tightest privacy laws.

What I see of this is that a person who signs up to a Webmail service, online storage service, Webhost or similar online service could be given the option to have the data held on servers in a nominated country, most likely rated according to the country’s standard of privacy and data sovereignty. Similarly, companies chartered in countries with rigorous data privacy and confidentiality standards could end up doing valuable business in renting data center space or providing online services to local and foreign individuals and companies wanting stronger privacy.

On the other hand, these countries could end up with the same reputation that Switzerland had with its banks. This was where Switzerland’s financial-secrecy laws were abused by people and companies who were laundering or concealing ill-gotten gains in Swiss banks to avoid official scrutiny. In relationship to data, this could allow for data associated with criminal activity such as child-abuse imagery or pirated software to be concealed in countries with high data-privacy standards.

But the authorities in those countries can act as a legal filter to make sure that any official data requests are for legitimate crime-fighting and personal-safety reasons rather than to suppress internationally-recognised core freedoms and liberties.

Send to Kindle

A clear reality surfaces with the Internet Of Things

Article

Linksys EA8500 broadband router press picture courtesy of Linksys USA

A tight healthy operating software update cycle can keeep routers and other devices from being part of botnets

Hacked Shopping Mall CCTV Cameras Are Launching DDoS Attacks | Tripwire – The State Of Security

My Comments

What is being highlighted now is that devices that are normally dedicated-purpose devices are becoming more sophisticated in a way that they are effectively computers in their own right. This was highlighted with some network video-surveillance cameras used as part of a shopping mall’s security armour.

What had happened was that these cameras were found to be compromised and loaded with malware so that they also are part of a botnet like what comonly happened in the 2000s where multiple computers loaded with malware were used as part of zombie attacks on one or more targets. In a similar way to a poorly-maintained computer, they were found to run with default passwords of the “admin – admin” kind and were subject to brute-force dictionary attacks.

AVM FRITZ!Box 3490 - Press photo courtesy AVM

AVM FRITZ!Box – self-updating firmware = secure network infrastructure

The article’s author highlighted that there need to be work done concerning dedicated-purpose devices, whether they are the network-infrastructure devices like routers or devices that are part of the “Internet Of Everything”.

Here, the devices need to run constantly-updated software, which is something that is considered necessary if the device is expected to have a long service life. The best example would be some of the routers offered to the European market like the Freebox Révolution or the AVM Fritz!Box where they receive constantly-updated firmware that at least can be downloaded at the click of an option button or, preferably, automatically updated like what happens with Windows and OS X and what is done with recent iterations of the AVM Fritz!Box firmware.

As well, a device’s setup routine should require the user to create secure credentials for the management interface. In some cases, if a device is part of a system, the system-wide management console could exchange system-specific access credentials with the member devices.

What has commonly been said is that the Internet of Things needs to face a severe security incident as a “wake-up call” for such devices to be “designed for security”. This is similar to incidents involving desktop computing, the Internet and mobile computing have served a similar purpose like the way Windows implemented privilege escalation on an as-needed basis since Windows Vista.

Send to Kindle

HP integrates secure firmware practices in to their enterprise laser printers

Article

HP adds protection against firmware attacks to enterprise printers | PC World

My Comments

An issue that has become a reality with dedicated-purpose devices like printers, network infrastructure hardware and the Internet Of Everything is making sure these devices run software that isn’t a threat to their users’ safety and security and the integrity of their users’ data.

Most device manufacturers tackle this through a regular software-update program but this requires users to download and deploy the newer firmware which is the software that runs these devices. It is also the same path where, in some cases, these devices acquire extra functionality. AVM, a German network-hardware manufacturer, took this further by providing automatic updating of their routers’ firmware so users don’t have to worry about making sure their router is up to date and secure.

But Hewlett-Packard have approached this issue from another angle by implementing watchdog procedures that make sure rogue software isn’t installed and running on their devices. Here, the printers implement a detection routine for unauthorised BIOS and firmware modifications in a similar manner to what is implemented with business-grade computers. This effort is based on their experience with developing regular computers including equipment pitched at business and government applications.

Here, when the printer validates the integrity of its BIOS during the start-up phase and loads a clean known-to-be-good copy of the BIOS if the software in the machine is compromised. Then, when the machine loads its firmware, it uses code-signing to verify the integrity of that firmware in a similar manner to what is done with most desktop and mobile operating systems. The firmware also implements an activity checker that identifies if memory operations are “against the grain” similar to well-bred endpoint-protection software. The watchdog software will cause the machine to restart from the known-to-be-good firmware if this happens.

Initially this functionality will be rolled out to this year’s LaserJet Enterprise printers and MFCs with any of the OfficeJet Enterprise X or LaserJet Enterprise machines made since 2011 being able to benefit from some of this functionality courtesy of a software update. There is a wish for this kind of functionality to trickle down to the consumer and small-business desktop printers that HP makes.

What I like of this is that HP has put forward the idea of continual software integrity checking in to embedded and dedicated devices. This isn’t a cure-all for security issues but has to be considered along with a continual software-update cycle. Personally these two mechanisms could be considered important for most dedicated-purpose device applications where compromised software can threaten personal safety, security or privacy; with the best example being Internet routers, modems and gateways.

Send to Kindle