Data security Archive

Regular operating systems and their vulnerability to security threats

Article

Which Is More Vulnerable To Viruses And Hackers: Windows 10 or Mac OS X? | Gizmodo

My Comments

Lenovo ThinkPad X1 Carbon Ultrabook

The Lenovo ThinkPad X1 Carbon – an example of a laptop based on a regular computing platform

During the 2000s, the personal computing scene focused on so-called “regular” personal computers i.e. desktop and laptop computers that ran a desktop-grade operating system. The main platforms were the Windows platform heralded by Microsoft and with hardware made by plenty of other manufacturers and the Macintosh platform that was made by Apple. Of course, there were a few personal computers that ran one of many open-source Linux distributions which were effectively UNIX.

There was the issue of security risks magnified due to an increased amount of personal and business computing time spent online through the Internet. In most cases, especially with the Windows platform, these risks were mitigated using a desktop or endpoint security program installed on the client computer. Although I have constantly seen the Apple Macintosh platform at risk of security exploits, that platform wasn’t at risk because there were fewer computer users using that platform.

Enter Windows Vista. This operating system had improved security features like operating as a regular user unless necessary but these were tacked on to the Windows XP codebase. This led to poor performance and computer users saw the value of switching to the Apple Macintosh platform for regular computing needs with some even using Apple’s iWork office tools as a way simply to dump Microsoft.

This led to the Apple Macintosh platform becoming more vulnerable due to its increased popularity and the use of “write once run anywhere” code like Java. Apple had to pull their finger out to improve the Macintosh platform’s security and, like Microsoft, engage in regular software updates and patches.

Improvements

Major upgrades for pennies’ worth or free

Windows 10 Start Menu

Windows 10 – a free upgrade from Windows 7 or Windows 8.1

Microsoft and Apple had even started to offer newer iterations of their operating systems to home users and small businesses at prices that would represent chump change or, later on, offer these iterations for free.

Apple started the ball rolling with Mac OS X for pennies’ worth starting with OS X Lion and for free starting with Mavericks. Subsequently Microsoft used Windows 8 to facilitate a software upgrade for pennies’ worth and used Windows 10 to instigate a free software upgrade program.

The major upgrades typically had security improvements like creation of app stores and newer secure codebases.

Blind updates for security patches

A way software developers keep their software going strong is to deliver updates and patches that rectify software bugs and allow the software to improve in performance. The delivery of these updates is being used to harden the software against known security exploits, often as soon as these holes are discovered.

Windows Update - one stop shop for software patches along with automatic delivery

Windows Update – one stop shop for software patches along with automatic delivery

This process typically involved users finding patches or newer code on the developer’s Website but Microsoft and Apple have put an end to this. Initially they set up a “one-stop-shop” program for downloading these updates including any peripheral-driver updates but have improved on this by providing for “blind updating”. This is where the operating system automatically downloads and installs these patches as soon as they become available.without you needing to do anything except, perhaps, reboot the computer when prompted.

Microsoft and Apple are even working on having these patches become effective once they are installed without you needing to reboot your computer. This is being achieved in the newer operating-system variants and with some newer patches.

The option for secure boot

Apple implemented in the Macintosh standard firmware a way to only let MacOS X boot on their Macintosh computers and this provided a sense of security because it can only allow these computers to run Apple-authorised code.

Microsoft and Intel are now implementing this through UEFI and Secure Boot which allows for authorisation of operating systems and pre-boot software that runs on a computing device. This has been considered controversial because it would wrest control of the computer from uses who may want to deploy Linux, especially a custom Linux distribution or wish to run with a dual-boot setup.

App stores and walled gardens

Windows 10's own app store

Windows 10’s own app store

Another weapon that Microsoft and Apple are deploying comes from the world of mobile computing where mobile operating systems implement an “app store” which is a one-stop software “shopping mall”.

Like a suburban shopping mall with its physical goods, these app stores have tight controls on who can sell their software there. Here, the software has to be provided by an identifiable developer and approved and audited by the operating system developer who runs that app store.

There is also a requirement for the software to be sandboxed and have access to certain parts of the operating system rather than having full run of your computer.

Another factor that is also considered important is that if an application “does the right thing” by its users and the operating-system vendor, it is typically highly recommended or featured such as being given an “editor’s choice” or put in the “spotlight”. This gives the program increased exposure which attracts more installations and more purchases. As well, there are user-review mechanisms where people can uprate or downrate the software.

But both the Macintosh and Windows platforms require the ability to work with established software deployments that are typically installed via removable media or a download from the developer’s site. This is due to their legacy where people installed software from floppy disks or CDs or downloaded software from bulletin boards and download sites.

Windows 10 is providing a way to harden things further when it comes to this software in the form of Device Guard. This is a form of sandboxing which allows only certain programs to run on a computer but is made available to the Enterprise Edition only. It is because the process for setting up this whitelist would be considered very difficult for householders, small businesses and community organisations.

Steam - one of the most common games managers

Steam – one of the most common games managers

For games, major games studios are implementing their own app stores and games delivery systems in order to allow for cross-platform game and supporting-content delivery. Here, they want regular-computing gaming to have that same level of confidence associated with console or mobile gaming. This is although Apple and Microsoft deliver games through their app stores. The best example of this is Valve’s Steam online games shop but there are others like EA’s Origin.

Conclusion

What is happening is that for both the Windows and Macintosh computing platforms, they are being made more secure and malware-resistant and it is becoming a race between Apple and Microsoft to keep the regular computing environment as safe as a mobile computing environment.

Send to Kindle

What is this about “cyberflashing” and how to prevent it?

Samsung Galaxy Note 2 smartphone

Taking control of local data-transfer functionality like AirDrop can help you avoid unwanted surprises

Article

Cyberflasher Airdrops rude images to victim’s iPhone | Naked Security (Sophos)

My Comments

A problem that has started to surface for Apple iOS users is the ability for someone to send gross images to strangers courtesy of the AirDrop feature that newer iterations of this platform have. Situations where this typically happened were when the offender and victim were on public transport or in public areas.

This feature makes it easy to share photos between iOS and MacOS X devices in a local area using Bluetooth and Wi-FI technologies and provides a thumbnail image of incoming photos rather than a dialog box asking if you want to receive the image.

This was feasible with Android and other open-frame mobile operating systems courtesy of Bluetooth Object Push Profile but these platforms. especially Android, hardened themselves against this by making your phone undiscoverable by default and providing a narrow time limit for having your phone discoverable by Bluetooth devices. As well, these platforms required your permission to start receiving the file and you didn’t see one bit of that file until you gave the go-ahead.

Android and Windows improved on this using a passcode that you and your correspondent exchange before a file is transferred and the NFC functionality that is part of recent Android versions requires you to physically touch the backs of the phones as part of instigating the data transfer.

The same situation may also crop up with Wi-Fi Aware as it implements Bluetooth local discovery for ad-hoc Wi-Fi networks created by mobile devices and will require users to be able to take control of what notifications and files they receive on their devices if this technology is for transferring files.

Protecting yourself

A good practice to observe is to turn off the AirDrop feature unless you make regular use of it. Or, at least, set AirDrop’s discoverability settings to “Off” or “Contacts Only” rather than “Everyone” so that every man and his dog can’t discover your phone. You would turn this function on if you are expecting a photo from someone not yet in your Contacts List.

In some situations, you may have to disable Wi-Fi and Bluetooth unless you are actually using these features such as linking to a hotspot or using a Bluetooth headset.

You may find that changing your device’s identity to your initials or something innocuous rather than your first name may work wonders in these situations.

I would also prefer that any local data transfer or similar activity between users takes place in a manner where each participant can see each other. This may be at the same table in a café, restaurant or library, the same seating cluster in a lounge area, the same row of seats in a public-transport vehicle or a similar area of close proximity. As well, such activity should be preceded by relevant conversation.

What must be preserved

If a setup allows for local data transfer between computer devices using a wireless medium, there must be a way of allowing the users to confirm their intent to transfer the data between each other. This means that the sender and receiver know whom the data is coming from and to and must occur before a single bit of the actual data changes hands.

This may be through the sender exchanging a simple passcode to the receiver or requiring the devices to physically be near each other at the start of the data transmission. The latter solution may be in the form of NFC where the users touch the backs of their devices together, or a QR code shown on the sending device’s screen that the receiving device has to scan before transmission takes place.

If a user wants to simplify this process, they could create a “trusted recipients” list which can be their Contacts list or a separately-created list. Personally, I would use all of the “friends” in a social network as this list because that tends to encompass too many people and an account can too easily be compromised.

The same thing must also apply to social networks, online gaming and similar services where one user may want to enrol another user in to their personal lists. This is more important if any of these services facilitate the transfer of files between users or support any form of instant messaging.

Send to Kindle

Pay-TV security technology is relevant for the Internet Of Things

D-Link DCH-3150 myDLink  motion sensor

An Internet-Of-Things sensor that would require regular software updates to be secure

Article

Content security vendors need to prevent babycam hacking nightmares | VideoNet

My Comments

A problem that will get worse in this day and age is weak security affecting home automation and security. This is based around easy-to-misconfigure hardware pitched at home users on a “set it and forget it” basis. It has led to consumer IP-based cameras being hacked and their content being thrown to undesirable Websites.

This is driven by a common mindset associated with devices sold to consumers where the goal is to buy it. install it and use it without requiring the consumer to worry about it more.

The Pay-TV ecosystem invests in and uses a high-security path to protect the expensive content such as the Hollywood blockbusters or the big-league sports that it provides to its subscribers. This is always evolved and updated to counteract new threats to this ecosystem and to handle new applications. They also used the “end-to-end” approach including supplying hardware to consumers and updating the software in this hardware automatically and without the consumer having to do anything extra.

Similarly, regular-computer setups have been made secure with Microsoft and Apple delivering security updates to Windows and MacOS X on a regular basis as threats come about. This is because of these systems having a heritage of being used in the business environment for a long time.

The article raised the concept of companies who provide home monitoring and allied services offering a turnkey installation and configuration service to their customers as a premium service or simply alerting customers to misconfigured hardware and hacking attempts if customers prefer to install their own hardware. They could use the Pay-TV technology to secure the content path between the cameras and the Web dashboards or mobile apps that the customers use.

“Blind updating”

AVM FRITZ!Box 3490 - Press photo courtesy AVM

AVM FRITZ!Box – self-updating firmware = secure network infrastructure

What I would like to see more is the ability to patch network-infrastructure hardware in a similar manner to what is done with pay-TV, regular-computer operating systems and some cloud-hosted services. This is where security updates and patches are delivered and installed automatically to these devices. In some cases, it may be preferable to provide an interactive update process for major software versions that add or change a device’s functionality.

A good step in the right direction was AVM with their Fritz!Box routers where they introduced the concept of automatic software updating to this class of device when they released new firmware for the Fritz!Box 7490.

These processes will have to require manufacturers to instigate software authentication and verification workflows and have their devices verify software updates before deploying them. This is to prevent the deployment of malware to these devices.

Send to Kindle

Fiat Chrysler are now facing the security issues associated with the connected car

Articles

Jeep Grand Cherokee outside family house - press picture courtesy of Fiat Chrysler North America

Jeep Grand Cherokee – make sure that the uConnect system runs the latest firmware

Jeep drivers: Install this security patch right now – or prepare to DIE | The Register

From the horse’s mouth

Fiat Chrysler

Blog Post

UConnect Website (Go here to update your vehicle)

Vehicle list

Model Model-years affected
Chrysler
200 2015
Dodge
Durango 2014
Viper 2013-2014
Jeep
Cherokee 2014
Grand Cherokee 2014
RAM
1500 2013-2014
2500 2013-2014
3500 2013-2014
4500 / 5500 2013-2014

The vehicles affected would be equipped with a uConnect-capable 8.4” touchscreen radio system.

My Comments

The connected car is now being highlighted as a device that has security issues. This was exemplified previously by BMW when they rolled out a patch for their connected infotainment system in the newest vehicles because of a security risk.

Now it is Fiat Chrysler’s turn where their UConnect connected infotainment system which has a stronger link with the car’s powertrain was needing a software update because of this same issue. It was brought about by a discovery that a pair of hackers found in relation to a 2014 Jeep Cherokee owned by one of these hackers concerning undesirable remote control of this “family 4WD”. The software can be downloaded by vehicle owners who have an affected 2013-2015 vehicle and can be done by downloading the update file from the UConnect Website to a USB memory stick then transferring that file to your vehicle. If you are not confident with this process, you can have the mechanics at the dealership where you bought the vehicle from perform this upgrade, while your vehicle is being serviced by them.

At the same time, the US Congress is legislating for security standards concerning connected vehicles including software protection for the vehicles’ powertrain, steering or braking in the form of the “Security and Privacy In Your Car Act” (SPY Car Act). This is in a similar vein to various design rules and standards that nations require vehicles to comply with for safety like seatbelt or lighting requirements. Even the US Senator Markey called out that drivers shouldn’t have to choose between being connected or being protected.

Again, this is a class of devices which is easily driven by the marketing impetus to have them on the market. But there needs to be a culture to encourage a secure environment for connected vehicles as there is for desktop computing.

One way would be a continual update process for the firmware associated with the connected vehicle, including aftermarket setups that have any effect on the vehicle’s steering, brakes or powertrain. This would preferably be in the form of a blind-update process like what happens with most operating systems when you set them to automatically update and patch.

Personally, this could be facilitated by having the connected vehicle work with the home network whenever it is garaged at home. This would then allow it to download the updates overnight while it is not in use. As well, the motorist should have the chance to choose what updates are provided like with enterprise variants of operating systems.

Send to Kindle

FIDO Alliance to encompass U2F authentication to Bluetooth and NFC setups

Articles

Samsung Galaxy Tab Active 8" business tablet press picture courtesy of Samsung

Bluetooth and NFC will allow keyfobs, cards and mobile devices to work as authentication devices for each other

FIDO Alliance adds authentication support for NFC and BLE | NFC World

From the horse’s mouth

FIDO Alliance

Press Release

My Comments

Soon it will be feasible for Bluetooth and NFC “touch-and-go” authentication to play a part in open-frame multiple-factor authentication thanks to FIDO Alliance. This is primarily to court those of us who are using mobile devices and want the same level of security as valued with regular computers.

The main goal of the FIDO Alliance was to get the USB transport interface working properly but then to have it work across other transports like Bluetooth and NFC? This is due to most mobile devices including an increasing number of laptops and “2-in-1” computers, coming with Bluetooth including Low-Energy (Bluetooth Smart Ready) and NFC functionality along with Android and Windows exploiting NFC functionality fully at the operating system level.

Example applications made feasible with Bluetooth and NFC in the second-factor authentication sphere include:

  • use of a “touch-and-go” card or a Bluetooth keyfob as your second factor for authenticating to a service from your regular computer or your mobile device – the device doesn’t need a standard USB socket
  • a smartphone that uses a software “second-factor” authentication program like Authy could transmit the second-factor code to your regular computer or tablet by Bluetooth or NFC “touch-and-go”.

As well, the fact that smartphones have a hardware (SIM-based) or software secure element means that they can become as much a strong partner in your data-security arsenal. The concept is also being extended to the idea of devices like smart locks and cars having the Bluetooth and / or NFC abilities along with an onboard secure element of some form.

Similarly the U2F and UAF specifications could earn their keep as a transport for other dedicated-purpose devices like smart locks which typically are implementing Bluetooth Low Energy and/or NFC technology as part of their presence in the Internet Of Everything. This can open up paths of innovation for integrating such devices in a personal-security web of trust.

Send to Kindle

New online-abuse Website launched in the UK

Articles

UK government tackles online abuse with anti-trolling website | We Live Security blog (ESET)

Cyberbullies: Anti-trolling website launched to help victims | The Independent

Government launches anti-trolling website to help victims of online abuse | The Guardian

Previous Coverage

What can you do about people who use the Social Web to menace

Dealing with Internet trolls

From the horse’s mouth

Stop Online Abuse (UK-based)

My Comments

The UK government have launched a Website focusing on online abuse and how to deal with it, including legal remedies and resources.

It is focused more towards women and the LGBT (gay/lesbian/bi/trans) community who are facing these issues because, from various surveys, these user groups are often copping it the most. This covers online abouse related to domestic violence, sexism and sexual harassment, along with homophobia and related anti-LGBT abuse. But there are other situations where people do suffer in silence such as general racism, issues-focused or business-level disputes.

I see the “Stop Online Abuse” website applying to all situations where the Internet is involved and a lot of the commentary is very generic. But I do see some limitations with the legal remedies because there may be difficulties with applying them when situations happen across jurisdictions as is the norm with the Internet.

For example, the crime of “sending messages using any public electronic communications network such as Twitter or Facebook, which are grossly offensive or of an indecent, obscene or menacing character” that is part of the UK’s Communications Act 2003 may have a legal equivalent in your jurisdiction. This may be in the form of one or more national communications statute that proscribes the use of a communications service or “common carriage service” to harass others. Similarly, there are court injunctions that were cited for the UK like the Family Law Act 1996 Non-Molestation Order or the Protection From Harassment Act 1997 restraining order that have equivalents under your jurisdiction’s criminal, civil or family law but with different names.

It is worth contacting your local citizen’s advice bureau or similar government or voluntary organisation for more resources. Infact, locating an organisation that specialises in your particular circumstances like a domestic-violence support organisation may provide you with better information suited to your exact needs.

Similarly, it is a wise move for these organisations to “bone up” on the issue of online abuse so they can provide the right advice to suit their clients’ situations and needs. National, regional and local governments along with the judiciary can also see this site as a chance to provide a Web-hosted “one-stop shop” for their constituents to know more about these issues. This is in addition to creating legislative remedies for online-abuse problems. As well, as each case is litigated in a family, criminal or civil context, the knowledge created from the legal action can be used to tackle this situation better in the courtroom.

Send to Kindle

Google brings forward a feature that ends email remorse

Article

Compose Email or New Email form

Sometimes you may wish you haven’t sent that email

Now you can avoid email sender’s remorse with Gmail’s ‘Undo Send’ feature | Naked Security (Sophos blog)

My Comments

You end up sending that misspelled email to your boss or click “Reply All” instead of “Reply” when you send that reply. Or a late Friday night alone with some music playing on the stereo and a half-empty bottle of whiskey beside you means that you type out that inappropriate email to that former love interest. These can lead to situations where the email you sent can have embarrassing or disastrous consequences.

Google has now integrated a “delayed sending” feature in to the GMail service so that you can opt to cancel sending that email. Here, once you enable this feature, you can specify a certain amount of time to wait before actually sending that email. This enables a “Cancel Send” button which takes the email out of the Outbox so it isn’t on its embarrassing way and would cope with situations like misspelt or misaddressed messages or “half-the-facts” situations. This is another feature that Google dabbled with in their labs to beat the “I wish I didn’t send that” blues and they rolled this in to production GMail deployments.

The previous feature they worked on was a CAPTCHA setup that would come in to play when it is the late evening. Here, you would have to solve a maths equation before you could send out that email, as a way of assessing whether you had a bit too much to drink and were about to send that drunken email. But they could extend this functionality to cope with the drunk email by having a user-selectable option to hold all emails that you send during a certain time window like 10pm-6am on Friday and Saturday nights for a longer time or until the next day.

This can easily be implemented in email client software as well as Webmail setups so you don’t have to use GMail to have these features. But Google is the main email service provider who is targeting the issue of sender’s remorse by providing the delay options.

Send to Kindle

Beware of fake posts and online scams relating to the Nepal earthquake

Previous coverage

Malaysia Airlines air disaster–another event bringing out the online scams

My Comments

Just lately, a disaster that has affected many people has occurred with many casualties in the form of the Nepal earthquake.

But what follows on the tail of these disasters is an avalanche of spam email and flaky social-media posts that offer extra insight or paths to assistance for people who are touched by these events. As well, it is the time when scams pretending to be charity appeals intending to provide aid to the victims of this earthquake also appear on the Internet. It is something I have drawn attention to previously when there was the Malaysian Airlines MH370 air disaster which drew out these scams and am drawing attention to in relation to the latest earthquake. But they lead you to malware or to harvest users’ personal or financial details. In these situations, it pays to think before you click on that link so you are safe with the Net.

Check for legitimate resources that offer information about your relatives’ or friends’ wellbeing and some of these could include Nepalese consulates in your area, the Red Cross or similar services and work with them “from the horse’s mouth”. That means to deal with official websites that are known to the public and are usually published by the media as part of their coverage on the issue.

Facebook does offer a legitimate Safety Check service which comes in to play during civil emergencies. Here, it would identify if one was in an affected geographical area and allow the person to interact with them to know if they are safe and this status would appear in your Facebook Friends’ news feed. For that concerned person, they would be able to check on the News Feed for their relative’s or friend’s status. But be careful of any “fake friends” that appear around the time of this disaster and any post from a friend of yours that isn’t known to be in the area but is out of order should be questioned.

As for charity appeals, most of the media provide information about legitimate fundraising efforts that are taking place so you don’t get fleeced easily.

What to do is to be aware and careful with using the Internet to find details about who is affected by a major event and check with trusted resources.

Send to Kindle

Being careful about online marketplaces

House

Online marketplaces can be used to sell houses,

Increasingly, the Internet is becoming full of sites where you can advertise items for sale or swap. These range form online-auctions sites like eBay through to “online-classifieds” sites like Craiglist, Gumtree or Le Bon Coin, to online car-sales or house-sales directories like Carsales.com .

Holden Torana LX street machine

…cars including classic cars ….

A problem that can easily happen with these sites is where someone can use various forms of fraud or trickery to scam you out of your money or have you misrepresent the goods being sold. This doesn’t matter whether you are the buyer or the seller of the goods concerned. A friend whom I go to church with passed on an email about a bad experience that someone he knew had when he sold a vehicle on Carsales.com .

Deal with the site directly

Speedboat on trailer for sale

… or boats

As you manage your interactions with these online marketplaces, use the same cautions as what would be expected for online banking and broking. Here, you need to be suspicious of phishing approaches and interact with the site using its known Web address. This is a good time to add the online marketplace to your browser’s Favourites or Bookmarks; or create an operating-system link (available on the Desktop to the marketplace.

It is also a good habit to monitor the ad on the Website to make sure it hasn’t been modified by anyone but you if you are selling the goods in question. This is important in relationship to the price of the item being sold.

eBay screenshot

eBay – one of the most common online marketplaces

As well, deal with your email service in a cautious manner. Here, if you use a Webmail service, log in to the Webmail service by starting a Web browser and logging in using its Web address or coming in to the service using an entry point that you preset for it.

Settle the transaction in a traceable manner

As you settle the transaction, make sure you use a payment system like PayPal where the payments can be traced and you can reverse the transaction if there are questions about the goods. This is more important if the goods aren’t being handed over in person.

Craiglist

Craig(s)List – the popular online-classifieds Website

As well, deal with the payment system “at the horse’s mouth” when following up the transaction by using the system’s Web site. This is important when you are dealing with high-value goods.

Beware of transaction values that are way over or under the odds

Transactions that are way “off the beam” should ring alarm bells. This is important whether you are a buyer or seller. because a person who is offering well over the odds for something you sell may be engaging in a fraudulent transaction. Similarly, goods advertised well below their expected value may have many questions about their provenance or condition.

Research the goods you buy

When you are buying goods through an online marketplace, make sure you know about the goods you intend to buy so you can make an informed decision. This may involve researching the Web generally about the item, dealing with online forums specific to the kind of item being sold or simply talking with one or more people who are knowledgeable about the goods.

In the case of vehicles, watercraft and aircraft, find out their fair market value through resources like the Red Book (Australia, New Zealand or Asia Pacific), Kelly Blue Book or NADAGuides in the US, or Parkers Guides in the UK. If you are dealing with a “classic”, it may be worth contacting a club associated with that marque or model, or browsing through a magazine dedicated to those cars like Hemmings to assess the real value of them.

As well, use resources like CarFacts (Australia) or Autocheck to verify if the car has been stolen or written off, or if there are debts outstanding on it. In some cases such as a car that was just privately imported, you may have to use similar resources based in a country other than your own as well as your own country.

Making contact with the other party

Try to make contact with the other party at least through the online marketplace’s enquiry system so you can exchange more details about the goods that are the subject of the transaction. It is also a better idea to make a telephone call with each other so you can be sure you are dealing with a real person. Sometimes making a Skype or Viber videocall can work wonders so you can see whom you are dealing with and you can have them show you the item in question.

For high-value items like vehicles or boats, make sure you can see the item in person. This is to verify the goods are genuine and you can assess its condition properly. This also includes being able to take the vehicle for a test-drive to put it through its paces. In the case of vehicles especially when one is buying their first car, I have always advised bringing one or more friends along when seeing the seller and the vehicle in order to obtain a better opinion about the vehicle.

Send to Kindle

What is social sign-on?

Spotify login screen

Spotify login screen with option to login using Facebook

A trend that is being associated with online services or applications is to provide “social sign-on” for new and existing users of these services. This is based around the concept of single sign-on where you use one set of credentials verified by one service to authenticate with one or more other services. This time, the credential pool that is used for authenticating users is your membership with a social network like Facebook or Twitter. The expression is sometimes extended to cover other authentication-data pools like Microsoft’s authentication services associated with Outlook.com/Hotmail, Windows 8 or XBox; or Google’s authentication services used for GMail and YouTube.

TripAdvisor Webpage

TripAdvisor webpage with social sign-on and personalisation from Facebook

In a social sign-on arrangement, your credentials are held and tested at the social-network’s servers and both the online service and the social network create a unique “token” or “key” to link and authenticate your presence on these services. The common methods that these services use are based around the OAuth or OpenID protocols used for single sign-on across multiple services.

Social sign-on concept diagram

Social sign-on concept diagram – relationship between the social network and online service

As well, your social attributes (name, birthdate, etc) that you have stored on the social network’s servers would be copied in to your account on the online service when this account is being provisioned. You will know about this when your social network pops up a screen asking you whether to allow the online service to gain access to your details held at the social network.

Advantages

There are some key advantages with using a social sign-on setup.

One is to benefit from a simplified provisioning process for your online service. This is without the need to key in the same data across multiple services. It also includes use of a pre-authenticated email address which is considered of high value with forums, commenting facilities and the like because most social networks especially Facebook, Google and Microsoft implement strong measures to combat fraudulent identities.

We also benefit because there are fewer sets of credentials to remember. As well, if a social network implements improved user-security measures like multifactor authentication or “trusted-device” operation, this flows on to the online service we use.

Some of the online services also can provide a personalised experience such as granting you birthday wishes on your birthday, including making those “special birthdays” such as the “big zeros” or the 21sts highly special.

Disadvantages

The disadvantages that can occur include weak links in the authentication protocols and a total dependence on access to and the security of a particular social-network account.

This also encompasses situations where a workplace or school may implement measures to shut out access to social networks in the name of productivity or an oppressive regime may shut out access to the popular social networks to curtail free speech. This can limit access to the online service because of its dependence on the social network.

How can it be operated properly

To assure users of their privacy, a social sign-on setup needs to identify any attributes that it is obtaining from a social network and give the user consent to obtain the attributes. As well, the login procedure should allow for one to create a login that is independent of a social network whether in conjunction with a social-network presence or not.

Similarly, the concept of social sign-on could be exploited by social networks and other authentication services to support simple-but-secure login for living-room applications. This is, from my experience, something that needs to be worked on because such devices require a lot of “pick-and-choose” data entry using a remote control’s D-pad to enter user credentials for online services. As well, many different users are likely to use the same living-room device.

Send to Kindle