Data security Archive

Make sure you properly log off Web services when you are finished with a shared computer

Log out properly of GMail by clicking "Sign Out"

Log out properly of GMail by clicking “Sign Out”

A common situation that affects most home users is the existence of a desktop, laptop or tablet computer used by many people of the household. This computer may not just be used by members of the household but also by the household’s guests. I was infact talking about this with someone who had come in from overseas and was using a commonly-used iPad to work a few Web-based services like his GMail and Facebook accounts. Here, he and I were underscoring the need to properly log out of these services when done with them as well as clearing Web-browser history on these devices.

Log out properly of Facebook by clicking "Log Out" in Settings

Log out properly of Facebook by clicking “Log Out” in Settings

But as one operates their Web-based email, social-networking and other services using these computers, it can be easy to leave a session of these services going especially if you are called away for some reason. This could lead to other members of the household snooping around your account or doing something on that account in your name like playing a practical joke.

A wise practice with these computers is to make sure you log off your Web-based services as soon as you have finished with these services and before you leave the computer. To do this properly, you have to click or tap the “logout” or “sign out” button on the Web-based service’s user interface, which causes the service to log you out as far as it is concerned while cleaning up any cookies and other data held on your machine relating to that session.

Familiarise yourself with the option to remove your Web-browsing history on your browser

Familiarise yourself with the option to remove your Web-browsing history on your browser

Similarly, clearing your Web browser’s history especially when finished using these commonly-used computers is also a wise practice. This avoids other users “tracking back” in to previous sessions for Web-based services or having people snoop on what previous users been browsing the Web for. The latter situation could either cause some nasty gossip to float around or, at worst, put the user in danger.

Use of multiple logins

Some operating systems like Windows and Android 4.2+ tablet implementations allow for the creation of separate accounts on that system so that each user can have their own operating environment. This can be beneficial because you can avoid the situation where someone can “snoop” around your Web history or someone’s Web email or social-network session that hasn’t been logged off properly.

Here, you could use one login as a “common-user” login while creating separate logins for the computer’s regular users. The regular users then use their own logins when they use the computer so they don’t have to worry about this kind of issue. Similarly, the separate logins can be personalised with wallpapers, “favourite Website lists”, customised colour schemes and the like as well as supporting application-level links to various social-network and other sites.

Windows 8 and 8.1 also implement a login setup which can be ported and synced across multiple computers thus allowing you to carry your computing environment between, say, a desktop and a laptop or to operate your computing environment on both your personally-used machine and a commonly-used machine.

Here, it is still a good practice to log off these accounts or enforce a lockout on them when you have finished at the computer so you can keep them private and less at risk of being meddled with.

Once you get in to the habit of logging off Web-service or user accounts on commonly-used computers and clearing Web history lists on these computers, you can avoid placing yourselves in a vulnerable position with your Internet use.

Send to Kindle

Computer security is about trusting your instincts

Article

Festive season security myth: "If there are no links in an email, it can’t be a phish." | NakedSecurity Blog

My Comments

I have seen this happen as part of educating people about computer security is to think before you click. Here, it is about being careful about responding to emails and Websites of doubtful provenance so you don’t become a victim of a scam or find your computer full of malware.

For example, phishing scams initially used links in the email as a hook to get people to “verify” their accounts or take similar action. But they are now using “loaded” attachments with the copy of the email not having any links or HTML to avoid being rejected by security tools that are part of email clients or the populace not taking to the bait due to the public education about phishing scams.  The hook in these situations are the attachments that are crafted to take advantage of weaknesses in the software or carry links to Web resources as mentioned below.

PDF files represent their own dangers because they can either be crafted maliciously or contain links to Web resources. This is compounded by the problem that not all PDF reader software handles Web links in a manner similar to a Web browser. For example, a lot of these programs don’t show the URL when you hover over or dwell on the link before you click.

I would personally like to see PDF and similar document viewers support the ability to link with “website-reputation” engines like what Symantec and other security-software vendors offer and show graphics that indicate if a link you are hovering on is safe or not. Similarly, search engines, website reputation agents, security scanners and similar tools could also examine PDF files for abnormal construction and questionable links.

Instead, we have to do a “reality check” regarding these emails. For example, are the emails from a company whom you have had business with or part of ongoing business with that company? Are you expecting an email to come through with attachments? Do they contain a lot of poor spelling or grammar or aren’t commensurate to the language they are meant to be written in? Do they reflect the tone of what the business and its industry is about? Simply, does the context sound too “out of this world” to be real?

This also applies to any offers provided through instant-messaging or social-network channels including the Facebook “fake-event” scams that are popping up as I have mentioned before.

But for the moment, are you sure that the link or attachment you are to click on is kosher before you click on it?

Send to Kindle

Facebook Events–a new vector for distributing spam

Facebook event spam notification in Notifications list - comes from a Friend

Facebook event spam notification in Notifications list – comes from a Friend

Article

Spammers Using Facebook Events to Trick Users | ReadWrite

My Comments

Ever since its early days, scammers have used Facebook as a place to spam users with their shady schemes. Previously this was through running a message with a tantalising link surrounded by tantalising text on users’ Walls and this link would pass through to some unscrupulous site.

This has failed to work now that Facebook has achieved critical mass with users subscribing to different Groups, Pages and Personal Profiles including those that represent their interests. This situation leads to the News Feed, the user’s default view in Facebook, being full of various pieces of information from different sources.

But, over the years, Facebook introduced a notifications mechanism for events beyond potential Friend requests or comments left on a Status Update and users are more likely to check on what has been added to the Notifications list. Here, it also introduced the Event which a Facebook user can invite their Friends or Followers to depending on its settings and this allows the user to register whether they are attending or not.

Event page for spammy Facebook event

Event page for spammy Facebook event

This bas become a new path for distributing link-bait spam because these Events don’t come often in a user’s interaction with Facebook. Similarly, the default setup has it that Facebook treats the Events as something to generate a Notification about and it effectively shows up the red “Notifications” flag in the Web view while causing native clients to show a distinct alert message and audio prompt when these come in. For example, the mobile clients for iOS and Android would list the event in the mobile operating system’s Notifications tray while causing the phone to sound a distinct ringtone or the Facebook Windows clients will “pop up” a message on the Desktop with your computer sounding an audible chime.

As well, if you “accept” these Events, they will appear as a Status Update on your Wall (Timeline). Of course, it will require the user to click through to the Event page and this will show a URL for you to click through to for more details, most likely along with some tantalising pictures. These URLs are where the trouble occurs because it could lead to installation of malware on your computer or other questionable practices taking place and some of these URLs are infact obfuscated using URL-shortening services like bit.ly .

If these “event spam” notifications come from one of your Facebook Friends, don’t click on anything to do with the Event page. Rather, let your friend know that they are the victim of a spammer and suggest they change the password on their Facebook account and run a malware scan on their computer.

Send to Kindle

Firmware updates to be available to fix D-Link router vulnerability

Articles

D-Link to padlock router backdoor by Halloween | PC World Business

D-Link plans firmware update to disable backdoor | The Register

From the horse’s mouth

D-Link

Update On Router Security Issue

My Comments

Recently, the computer press was awash with articles pointing to an exploit in some of the popular D-Link routers. Here, this has a computer on the local network pushing through a malformed URL to the router’s Web management page to bypass the login screen for the router’s management dashboard. This is more vulnerable with improperly-setup Wi-Fi network segments hosted by these routers or computers on the local logical network that are loaded with malware that takes advantage of this vulnerability.

Now D-Link are working towards offering revised firmware that fixes the exploit for each of the router models that are affected by this issue and is releasing this on their product support pages.

But of course, it is important to make sure that the wireless network segment that is part of your home or small-business network is secure with WPA2-Personal security and a random passphrase along with an SSID that doesn’t reflect the make or model of the router. Similarly, it is good practice not to enable remote administrative access on these routers and confine administrative tasks to the local network only.

This is in addition to other good computer housekeeping practices like running anti-malware software on your regular computers and being careful what you click on.

For that matter, I would encourage people to keep the firmware on their routers or other network hardware up-to-date in the same way we would keep operating systems and application software up-to-date.

Send to Kindle

Hacking incident with the hallmarks of distraction burglary

Article

‘Bogus IT guys’ slurp £1.3m from Barclays: Cybercops cuff 8 blokes • The Register

Barclays Bank computer theft: Two men in court over £1.3m haul | BBC News London

From the horse’s mouth

Metropolitan Police (London)

Press Release

Barclays Bank

Press Release

My Comments

KVM switch and 3G router attached to the bank's computer to hack the system (Metropolitan Police London press image)

KVM switch and 3G router attached to the bank’s computer to hack the system

Very often, I have heard and read crime-prevention articles touching on the issue of “distraction burglary”. This is where a person gains access to someone’s home or business under the pretext of a legitimate reason such as to read the meter or do some inspection and takes advantage of this to commit or facilitate crimes, typically burglaries.

The material often encouraged people to check that the visitor is real and legitimate and has a legitimate reason to visit before admitting them to their premises. One of these campaigns that I considered notable was the “Stop Chain Check” campaign in the UK that was ran by various UK police forces in concert with TV Licensing and other utilities where older residents were to have the door chain on before they opened the front door and to verify the credentials of that visitor.

Even IBM ran an awareness campaign through the 70s targeting Selectric typewriter owners who had equipment-maintenance contracts with them warning them of bogus service representatives. Here the bogus repairmen to claim that the customer’s Selectric needed workshop attention and would take the machine away for “repair”. Similarly, businesses had to be careful about people showing up as official telephone-company representatives to perform work on their telephone equipment because of this being used as a cover for planting bugs or phone taps.

Recently, there was a hacking incident targeted at Barclays Bank in Swiss Cottage, London where someone gained access to the bank branch’s IT equipment under the pretence of doing IT support work for the bank. Here, they attached a KVM-over-IP switch and a 3G mobile-broadband router to a computer at that branch and used this setup to commit a very large fraud against Barclays.

The hallmarks of this fraud was an unannounced service call by people pretending to be the bank’s IT staff or contractors. It was very similar to the aforementioned distraction burglaries with the criminals acting like the fake meter readers who were gaining access to people’s homes. There is also another similarity to the new practice of “spear-phishing” which is similar to the classic “phishing” attacks where official email from a bank or similar organisation is used to siphon confidential data from customers, but the attack is targeted at a particular employee of a particular company for access to highly-confidential business material.

A good practice for businesses who have IT-service contracts is to maintain a single point of contact between the business and the contractor. Here, you have an ability to pre-arrange any work that needs to be done on the equipment and be aware of any impending work, whether to rectify a fault or improve the IT system. As well, people in the business or similar environment need to know what equipment is currently in service or available for service.

Also we have to be suspicious if someone is forcing upon you the installation of hardware or software, the modification of existing hardware or software or the removal of hardware especially if the work hasn’t been arranged previously. This is more so if the work isn’t explained, the equipment’s owner or organisation’s management aren’t kept in the loop or at worst they insist that no-one is in the office while the work is underway.

In conclusion, even if you do have your house in order when it comes to Internet-based security threats, you also need to be sure of what is going on if someone visits you to work on your computer equipment.

Send to Kindle

The newly-discovered security risk in all-platform runtime environments

Introduction

The recent security scare with the Apple Macintosh platform and its exposure to the Flashback malware was centered around the use of Java on this platform, rather than being targeted directly using native code. But there have been similar risks targeted at this platform but this time using the Adobe Flash runtime environment.

Previously the typical computer’s operating system, desktop-productivity software and default Web-browsing environment has been targeted by malware writers. This has been more so with software that is used by many people, like Microsoft’s Windows XP operating system and Internet Explorer Web browsers.

But Microsoft, Apple and the open-source community have been working lately on hardening their operating-system, desktop-productivity and Web-browsing software against malware. This has been done through releasing software patches that fix vulnerabilities as soon as they are discovered and having such patches delivered using automated software-maintenance systems like Windows Update.

So malware authors are now turning their arrows towards the multi-platform runtime environments like Oracle’s Java and Adobe’s Flash and Air environments. These typically have a runtime component that is user-installed on most computing platforms, or this component is rolled in to some computing platforms.

These runtime environments have appealed to mainstream software developers because they can create their software in a “write once, run anywhere” manner without needing to port the software to the different platforms they want to target. This situation also has appeal to malware authors due to the ability to target multiple platforms with little risk as well as finding that these runtime environments aren’t patched as rigorously as the operating systems.

One main problem – Java and how it is maintained on the Macintosh

The Java runtime environment used to be delivered with the Windows platform until 2004 due to a legal agreement between Sun and Microsoft regarding an anti-trust issue. Now Windows users pick up the runtime code from Oracle’s Java website now that Oracle have taken over the Java environment from Sun.

But Apple still delivers the Java runtime environment to their Macintosh users, either with the operating system until “Snow Leopard” or as a separate download from their Website for subsequent users.

For both platforms, the Java runtime survives operating-system updates, even major version upgrades. As well, it, like the Adobe Flash runtime, has to be updated separately.

Windows and Linux users still have the advantage of going to the Oracle Website to install and update the Java Website and they can set up the Java installer software to implement the latest version automatically or let them know of updated Java runtimes. But Apple don’t pass on new updates for the Java runtime to MacOS users as soon as Oracle release them.

What Apple should do is pass on the Java runtime updates as soon as Oracle releases these updates. This could be involving Apple ceding the management of the MacOS X Java runtime to Oracle and writing any necessary integration code to support co-ordinated maintenance of this runtime the the Macintosh platform.

What users can do with these runtime environments

Users can keep their runtime environments for Flash, Java, Adobe Air and other “write once, run-anywhere” platforms by looking for updates at the developer’s Website. They can also enable automatic deployment of critical updates to these environments through various options offered by the installer.

But do you need to keep any of these runtime environments on your regular computer? You could do without it but some vertical, enterprise and home software requires the use of these runtime environments. In some cases, some developers write parts of their software in native code for the platform the software is to run on while using “write once, run anywhere” code that works with these environments for other parts.

For example, YouTube,  most browser-hosted games or file-transfer interfaces for Websites implement Adobe Flash Player while programs like OpenOffice, Adobe’s Creative Suite and some enterprise / vertical software require Java.

If you are not likely to running any programs that depend on a runtime environment regularly or can avoid needing that particular environment, you could avoid installing the environment at all to keep your computer secure and stable.

What can the industry do

Use of computer security software to protect against runtime-environment attacks

A question that could be raised is whether it is feasible for a computer-security program to be written so that it can inspect the software that is intended to be run in these environments.

This is more so as these environments become ubiquitous for delivering software to multiple computing environments. In the case of Java, this environment is being implemented as a baseline for the Android platform and as the language for writing interactivity in to Blu-Ray Discs.

This could be achieved through the use of plug-in modules for current desktop and appliance-level security applications; or for modules that connect to the runtime environments, observing for abnormalities in the way they handle computer resources.

Development of enhanced runtime environments that work with the host operating system’s security logic

It can also be feasible for the runtime environments to work tightly with the operating-system’s user access management and prevent the programs that work behind them from using resources unless they are explicitly allowed to. This could involve use of sandboxes or privilege levels that mimic the operating system’s privilege levels thus working at the lowest level unless they have to work higher.

Consistent and responsive updating of the runtime environment across all platforms

Adobe, Oracle and others who develop “write-once, run-anywhere” platforms could implement a consistent and responsive update policy for these platforms in response to any discovered bug or exploitable software weakness. The developers of these platforms have to be sure that the updates are delivered as soon as possible and across all platforms that the runtime environment is targeted at.

This includes development of a strategy so that access to the targeted platforms is guaranteed by the runtime-environment developer. For example, it may include immediate propagation of firmware updates for devices or the use of the developer’s own installation routines for all regular computing environments.

Allow design-time native-binary compiling for desktop Java

Another improvement that I would like to see is for software that is written in the Java language to be able to be compiled to native binary (.EXE) code during development. Here, this could allow a desktop-software project that has routines written in Java as well as routines written in other languages like C++ and targeted to one platform to be able to run quickly and securely on that platform.

It will then avoid the need to require the installation of the Java runtime when a program like Adobe’s Creative Suite software is deployed to the end user. It can also allow the developer to deliver the software to many platforms in a binary form that is native to each target platform, thus allowing for efficient use of system resources.

Conclusion

Once we adopt proper standards concerning the management and maintenance of “write-once, run-anywhere” software-development platforms and make them to the same standard as regular-computer operating systems, this can reduce the chance of these platforms being exploited by malware authors.

Send to Kindle

Apple has now released a software fix for the Flashback trojan

Articles

A look at Apple’s Flashback removal tool | MacFixIt – CNET Reviews

Apple releases fix for Flashback malware | Engadget

Downloads – Apple’s support Website

Java Update for MacOS 10.6

Java for MacOS Lion

My Comments

Apple has reacted to the groundswell of concern about the recent Flashback malware and have issued updates to its Java runtime environment for both MacOS Snow Leopard and Lion.

Here, they have implemented a check-and-remove routine for this Trojan as part of the installation routine for the new Java runtime environment. For most Macintosh users, this will simplify the process of removing any existence of this malware as well as keeping this runtime environment up-to-date.

The CNET article also gave a detailed review of what goes on as well as how to fix situations if the installation takes too long and the procedure hangs. As I have posted previously, Apple could improve on the issue of providing system maintenance and desktop security software so that Mac users can keep these systems in good order.

Send to Kindle

Security issues concerning field-updatable device software raised in HP lawsuit

Article

HP sued over security flaw in printers | Security – CNET News

My comments

An increasing trend that I have covered on this site and have noticed with equipment that I have reviewed is for the equipment to be updated with new firmware after it is sold to the customer.

Field-updating practices

Previously, this practice involved the device’s user using a regular computer as part of the update process. In a lot of cases, the user would download the update package to their computer and run a special program to deploy the update to the connected device. If the device, like a router, was connected via the network, the user uploaded the update package to the network-connected device via its management Web page or other network-file-transfer methods.

Now it is becoming more common for one to update the software in their device without the need to use a regular computer. This would be done using the setup options on the device’s control surface to check for and, if available, load newer firmware. 

It also includes the device automatically polling a server for new firmware updates and inviting the user to perform an update procedure or simply updating itself during off-hours for example; in a similar vein to the software-update mechanisms in Windows and MacOS.

As well, an increasing number of devices are becoming able to acquire new functionality through the use of “app stores” or the installation of add-on peripherals.

The HP lawsuit concerning printer firmware

Just last week, there has been a lawsuit filed against HP in San Jose District Court, California, USA concerning weaknesses in the firmware in some of their printers allowing for them to accept software of questionable origin. Issues that were raised were the ability to load modified software that could facilitate espionage or sabotage. This was discovered through lab-controlled experiments that were performed on some of the affected printers.

As all of us know, the firmware or apps are typically held on servers that can be easily compromised if one isn’t careful. This has been made more real with the recent Sony PlayStation Network break-ins, although data pertaining to users was stolen this time. But it could be feasible for a device to look for new firmware at a known server and find compromised software instead of the real thing.

They even raised the question not just about the software that is delivered and installed using a computer or network but the ability to install ROM or similar hardware chips in to the device to alter its functionality. I would also see this including the ability to pass in code through “debug” or “console” ports on these devices that are used to connect computers to the devices as part of the software-development process.

This could have implications as equipment like home appliances, HVAC / domestic-hot-water equipment and building security equipment become field-programmable and join the network all in the name of “smart energy” and building automation. Issues that can be raised include heaters, ovens or clothes dryers being allowed to run too hot and cause a fire or building alarm systems that betray security-critical information to the Social Web without the users knowing.

Further ramifications of this lawsuit

Device manufacturers will have to look at the firmware that governs their products in a similar vein to the software that runs regular and mobile computing equipment. This includes implementing authenticated software delivery, software rollback options and the requirement to keep customers in the loop about official software versions and change-logs (differences between software versions).

In some cases, business computing equipment like laser printers will have firmware delivered in a similar manner to how computer software is rolled out to regular computers in larger businesses. This includes software that enables centralised firmware deployment and the ability to implement trial-deployment scenarios when new firmware or add-on software is released.

Devices that have proper-operation requirements critical to data security or personnel / building safety and security may require highly-interactive firmware delivery augmented with digital-signature verification and direct software-update notification to the customer.

Similarly, security-software vendors may push for a system of integrating software solutions, including “edge-based” hardware firewall appliances in the process of software delivery to other devices.

Conclusion

What I would like to see out of this case if it is allowed to go “all the way” is that it becomes a platform where issues concerning the authenticity, veracity and safety of field-updatable firmware for specific-purpose devices are examined.

Send to Kindle

Lost data on USB drives–can even affect individuals and small business

Articles – From the horse’s mouth

Press Release | Kingston

My Comments

I have had a look at the Kingston press release about the security of data held on USB flash drives and found that it was based on a Ponemon Institute study commissioned by Kingston. The main factor that I had observed was that the survey was based on data that represented the “big end of town” – the larger companies and government departments who typically handle a lot of high-stakes company and customer data.

Here I still find that small businesses and individuals are as at risk from removable-media data theft as are larger organisations. Most of these users would consider secure data storage as storing the confidential data on a USB memory key or external hard disk rather than on the computer’s hard disk. Here, they would keep that memory key or external hard disk locked in a desk drawer, filing cabinet or safe when the data is not needed. If the data isn’t changed or viewed often, like a valuables inventory, the USB memory key or external hard disk may be kept at a bank’s safe-deposit facility.

As well, the typical USB memory key can be attached to one’s keyring that has their house, car and business keys on it and a lot of these users may take advantage of the fact. These key rings are often at risk of loss due to absent-mindedness that can be common amongst us or theft as has been known to happen in the UK and Europe where houses have been broken into in order to steal the keys for powerful or expensive cars that are parked at these houses.

Of course, it is not just government and big business who handle or are responsible for “high-stakes” ultra-confidential data. Small businesses and individuals can also handle this kind of data, whether they provide services to these entities or not.

For example, I had provided technology assistance to a “one-person” business who valued fine art, antiques and collectables. This involved the handling of data relating to the collectable items and who owned the collectable items, as I commissioned newly-bought computers or trained her in computing techniques.

As well, individuals may need to keep copies of information pertaining to personal medical and legal issues where there is a strong emotional link. This information may be considered of high value where it concerns individuals who are in the “public eye” and the tabloid media are hungry for any bit of information about these individuals in order to run that exclusive “scoop”.

A common reality that this “enterprise-focused” article misses is that the typical small-business owner or personal user chooses and purchases their own computer hardware from retail. This is compared to larger organisations who maintain a dedicated IT team who is responsible for purchasing and maintaining the computer and communications technology for that organisation.

For this class of user, I would recommend that they use removable storage that is made by respected brands like Kingston, Verbatim, Sony or SanDisk. It may be worth knowing that some of the good retailers may resell these good brands under their own labels, usually in the premium end of those labels.

I would also recommend that you investigate the use of security-enabled encrypted USB memory keys. Here, I would look for those units that have continual software support from the vendor. This is important if you change your computing platform like what Apple hopes use do or move to newer versions of our current operating systems.

As well, you should make sure that you have good desktop security software on your computer. You could even get by with free programs like AVG or Microsoft Security Essentials. Even Macintosh users should make sure they run good anti-malware software on these computers especially as software threats are targeting this platform as well.

It is also worth making use of strong passwords or other data-locking options that the operating system or USB security software may provide for the confidential data. This may work in conjunction with the common practice of keeping the removable media under lock and key such as in a locked filing cabinet or safe.

What I fear is that a lot of press concerning data security tends to be focused at the big end of town and smaller users tend to be forgotten about. As well, a lot of the good-quality data-security options are often designed and priced out of the range of the small business operator or consumer even though there is a need for this level of data security amongst some of this class of user.

Send to Kindle