Tag: data security

What is the Declaration For The Future Of The Internet about?

Articles

Lenovo ThinkPad X1 Carbon Ultrabook

Internet services now under a worldwide declaration

US signs Declaration for the Future of the Internet alongside 60 global partners | Windows Central

US Pledges to Keep an Open Internet With Dozens of Other Countries – CNET

Governments Pledge to Keep an Open Internet, Not Russia, China (gizmodo.com)

From the horse’s mouth

The White House, USA

FACT SHEET: United States and 60 Global Partners Launch Declaration for the Future of the Internet | The White House

Declaration-for-the-Future-for-the-Internet_Launch-Event-Signing-Version_FINAL.pdf (whitehouse.gov)

My Comments

The US, European Union, Canada, UK, Australia, New Zealand and many other countries signed a declaration regarding the Internet. This declaration, called the “Declaration For The Future Of The Internet” is an effort by the Biden White House to reinforce what the Internet is to be about as an open network of networks with a fair playing field.

This is a response by these countries against digital authoritarianism that has been shown by authoritarian regimes like Russia, China, Iran and North Korea. It encompasses domestic and international online repression efforts like censorship along with international political destabilisation efforts like election / referendum interference, disinformation campaigns and cyberattacks.

There is also the same fear that due to populist strongman politics taking place ins some Western and other countries not associated with that kind of politics, the Internet as a symbol of freedom of expression could be under threat in those countries.

It is a reference for public policymakers, citizens, the business community and civil society organisations, but is non-binding. This is seen as a sticking point amongst some because sone countries like the USA aren’t toeing the line when it comes to a free and open Internet with issues like civilian surveillance. But some policymakers in some governments, international organisations and civil society could see this as a “gold standard” for what the Internet should be about.

The goal in this Declaration is to maintain what the Internet was about when it came about in the 1990s – an open network of networks that is freely accessible to all.

It is about protecting fundamental human rights and freedoms for all people in the online space. As well, it is about the global Internet that facilitates the free flow of information for citizens and businesses. That also includes inclusive and affordable connectivity to the Internet, which also factors in access from rural and remote areas. As well, there should be an increase in our digital skills so we can work the Internet competently.

Trust in the global online ecosystem is also underscored, including protection of the privacy and confidentiality of end-users. This is about safe secure private Internet use. For businesses of all sizes, it is about allowing them to compete, innovate and thrive in their own merits.

This goal is to be facilitated using reliable secure interoperable and sustainable infrastructure around the world. Here it would be managed in a multiple stakeholder approach to assure common benefit.

An issue that will need to he looked at is how online services are operated by the private sector. This is with expectations regarding end-user privacy along with their operation as a social good. It may also have to include support for healthy competition between online service providers so as to support innovation and service affordability.

I do see a strong possibility that the Declaration For The Future Of The Internet as a “Gold Standard” for what is expected of the Internet as part of a democratic society.

Zoom to provide privacy notifications for video conferences

Article – From the horse’s mouth

Zoom (MacOS) multi-party video conference screenshot

Zoom to introduce privacy disclosure for enhanced functionalities during a video conference

Zoom

Zoom Rolls Out In-Product Privacy Notifications – Zoom Blog

In-Product Privacy Notifications – Zoom Help Center (Detailed Resource)

Previous Coverage on videoconferencing platform security

A call to attention now exists regarding videoconferencing platform security

My Comments

As the COVID-19 coronavirus plague had us homebound and staying indoors, we were making increased use of Zoom and similar multi-party video conference software for work, education and social needs. This included an increased amount of telemedicine taking place where people were engaging with their doctors, psychologists and other specialists using this technology.

Thus increased ubiquity of multi-party videoconferencing raised concerns about data-security, user-privacy and business-confidentiality implications with this technology. This was due to situations like business videoconference platforms being used for personal videoconferencing and vice versa. In some cases it was about videoconferencing platforms not being fit for purpose due to gaping holes in the various platforms’ security and privacy setup along with the difficult user interfaces that some of these platforms offered.

During August 2020, the public data-protection authorities in Australia, Canada, Hong Kong, Gibraltar, Switzerland and the UK called this out as a serious issue through the form of open letters to the various popular videoconferencing platforms. There has been some improvement taking place with some platforms like Zoom implementing end-to-end encryption, Zoom implementing improved meeting-control facilities and some client software for the various platforms offering privacy features like defocusing backgrounds.

Zoom has now answered the call for transparency regarding user privacy by notifying all the participants in a multi-party videoconference about who can save or share content out of the videoconference. This comes in to play with particular features and apps like recording, transcription, polls and Q&A functionality. It will also notify others if someone is running a Zoom enhanced-functionality app that may compromise other users’ privacy.

There is also the issue of alerting users about who the account owner is in relation to these privacy issues. For corporate or education accounts, this would be the business or educational institution who set up the account. But most of us who operate our personal Zoom accounts would have the accounts in our name.

Personally, I would also like to have the option to know about data-sovereignty information for corporate, education or similar accounts. This can be important if Zoom supports on-premises data storage or establishes “data-trustee” relationships with other telco or IT companies and uses this as a means to assure proper user privacy, business confidentiality and data sovereignty. A good example of this could be the European public data cloud that Germany and France are wanting to set up to compute with American and Chinese offerings while supporting European values.

Another issue is how this will come about during a video conference where the user is operating their session full-screen with the typical tile-up view but not using the enhanced-functionality features. Could this be like with Websites that pop up a consent notification disclosing what cookies or similar features are taking place when one uses the Website for the first time or moves to other pages?

It will be delivered as part of the latest updates for Zoom client software across all the platforms. This may also be a feature that will have to come about for other popular videoconferencing platforms like Microsoft Teams or Skype as a way to assure users of their conversation privacy and business confidentiality.

Google to participate in setting standards for mobile app security

Articles – From the horse’s mouth

Google

A standard and certification program now exists for mobile application security

A New Standard for Mobile App Security (Google Security Blog post)

Internet Of Secure Things Alliance (ioXT)

ioXt Alliance Expands Certification Program for Mobile and VPN Security (Press Release)

Mobile Application Profile (Reference Standard Document – PDF)

My Comments

There is a constant data-security and user-privacy risk associated with mobile computing.

And this is being underscored heavily as a significant number of mobile apps are part of “app-cessory” ecosystems for various Internet-of-Things devices. That is where a mobile app is serving as a control surface for one of these devices. Let’s not forget that VPNs are coming to the fore as a data-security and user-privacy aid for our personal-computing lives.

Internet of Secure Things ioXT logo courtesy of Internet of Secure Things Alliance

Expect this to appear alongside mobile-platform apps to signify they are designed for security

But how can we be sure that an app that we install on our smartphones or tablets is written to best security practices? What is being identified is a need for an industry standard supported by a trademarked logo that allows us to know that this kind of software is written for security.

A group called the Internet of Secure Things Alliance, known as ioXT, have started to define basic standards for secure Internet-of-Things ecosystems. Here they have defined various device profiles for different Internet-of-Things device types and determined minimum and recommended requirements for a device to be certified as being “secure” by them. This then allows the vendor to show a distinct ioXT-secure logo on the product or associated material.

Now Google and others have worked with ioXT to define a Mobile Application Profile that sets out minimum security standards for mobile-platform software in order to be deemed secure by them. At the moment, this is focused towards app-cessory software that works with connected devices along with consumer-facing privacy-focused VPN endpoint software. For that matter, Google is behind a “white-box” user-privacy VPN solution that can be offered under different labels.

This device profile has been written in an “open form” to cater towards other mobile app classes that need to have specific data-security and user-privacy requirements. This will come about as ioXT revises the Mobile Application Profile.

Conclusion

The ioXT Internet-of-Secure-Things platform could be extended to certifying more classes of native mobile-platform and desktop-platform software that works with the Internet of Everything. The VPN aspect of the Mobile Application Profile can also apply to native desktop VPN-management clients or native and Web software intended to manage router-based VPN setups.

At least a non-perpetual certification program with a trademarked logo now exists for the Internet of Everything and mobile apps to assure customers that the hardware and software is secure by design and default.

Zoom even makes it easier to deal with Zoombombing incidents

Article

Zoom (MacOS) multi-party video conference screenshot

Zoom to give more control to meeting hosts

How to stop a Zoombombing | Lifehacker

From the horse’s mouth

Zoom

3 New Ways We’re Combatting Meeting Disruptions (Blog Post)

My Comments

During the COVID-19 pandemic causing us to work or study from home, we have been seeing increased use of videoconferencing platforms like Zoom.

It has led to the convergence of business and personal use of popular multiparty videoconferencing platforms; be it business platforms of the Zoom and Microsoft Teams ilk serving personal, social and community needs; or personal platforms like Skype and WhatsApp being used for business use. This is more so with small businesses, community organisations and the like who don’t have their own IT team to manage this software. The software developers even support this convergence through adding “personal and social” features to business users that also gain free social-user tiers or adding business features to personal platforms.

But this has brought along its fair share of miscreants. A key example of this is “Zoombombing” where these miscreants join a Zoom meeting in order to disrupt it. This manifests in disruptive comments being put in to the meeting or at worst all sorts of filth unfit for the office or family home appearing on our screens. Infact there have been a significant number of high-profile Zoom virtual events disrupted that way and a significant number of governments have encompassed this phenomenon as part of raising questions about videoconferencing platform security.

This has been facilitated by Zoom and similar business videoconferencing platforms allowing people to join a videoconference by clicking on a meeting-specific URL This is compared to Skype, Viber, Facebook Messenger, WhatsApp and similar personal videoconferencing platforms operating on an in-platform invitation protocol when joining these meetings.

But these Weblinks bave been posted on the Social Web for every man and his dog to see. There have been some online forums that have been hurriedly set up for people to solicit others to disrupt online meetings.

Zoom recently took action by requiring the use of meeting passwords and waiting-room setups and operating with that by default. As well meeting hosts and participants have been encourage not to place meeting URLs and passwords on any part of the Web open to the public. Rather they are to send the link via email or instant messaging. As well, they are encouraged to send the password under separate cover.

They also have the ability to lock the meeting so no further attendees can come in, which is good if the meeting is based around known attendees. There is also the ability for the host to control resource-sharing and remote-control functionality that Zoom offers. Let’s not forget that they also added meeting-wide end-to-end encryption for increasingly-secure meetings.

But Zoom has taken further action by offering meeting hosts more tools to control their meeting, a feature available to all client software and to all user classes whether free or paid.

There is the ability for the Zoom meeting host to pause the meeting. Once this is invoked, no activity can take place during the meeting including in any breakout rooms that the meeting has spawned. They also have the ability to report the meeting to Zoom’s platform=wide security team and to selectively enable each meeting feature. They can also report users to Zoom’s platform security team, which allows them to file the report and give the disruptive user the royal order of the boot from that meeting.

Another feature that has been introduced thanks to the “join by URL” method that Zoom supports is for meeting hosts to be alerted if their meeting is at risk of disruption. Zoom facilitates this using a Webcrawler that hunts for meeting URLs on the public Web and alerts the meeting host if their meeting’s URL is posted there such as being on the Social Web. Here, they are given the opportunity to change the URL to deflect any potential Zoombomb attempts.

But this year has become a key year as far as multiparty videoconferencing is concerned due to our reliance on it. Here, it may be about seeing less differentiation between business-use and personal-use platforms or the definition of a basic feature set that these videoconferencing platforms are meant to have with secure private operation being part of that definition.

Microsoft integrates the Trusted Platform Module in to computer CPUs

Articles

Microsoft brings Trusted Platform Module functionality directly to CPUs under securo-silicon architecture Pluton | The Register

Microsoft reveals Pluton, a custom security chip built into Intel, AMD and Qualcomm processors | TechCrunch

Microsoft Pluton is a new processor with Xbox-like security for Windows PCs | The Verge

From the horse’s mouth

Microsoft

Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs (Blog Post)

My Comments

Most recently-built desktop and laptop regular computers that run Windows, especially business-focused machines offered by big brands, implement a secure element known as the Trusted Platform Module. This is where encryption keys for functions like BitLocker, Windows Hello or Windows-based password vaults are kept. But this is kept as a separate chip on the computer’s motherboard in most cases.

But Microsoft are taking a different approach to providing a secure element on their Windows-based regular-computer platform. Here, this is in the form of keeping the Trusted Platform Module on the same piece of silicon as the computer’s main CPU “brain”.

Microsoft initially implemented a security-chip-within-CPU approach with their XBox platform as a digital-rights-management approach. Other manufacturers have implemented this approach in some form or another for their computing devices such as Samsung implementing in the latest Galaxy S smartphones or Apple implementing it as the T2 security chip within newer Macintosh regular computers. There is even an Internet-of-Things platform known as the Azure Sphere which implements the “security-chip-within-CPU” approach.

This approach works around the security risk of a person gaining physical access to a computer to exfiltrate encryption keys and sensitive data held within the Trusted Platform Module due to it being a separate chip from the main CPU. As well, before Microsoft announced the Pluton design, they subjected it to many security tests including stress-tests so that it doesn’t haunt them with the same kind of weaknesses that affect the Apple T2 security chip which was launched in 2017.

Intel, AMD and Qualcomm who design and make CPUs for Windows-based regular computers have worked with Microsoft to finalise this “security-chip-within-CPU” design. Here, they will offer it in subsequent x86-based and ARM-based CPU designs.

The TPM application-programming-interface “hooks” will stay the same as far as Windows and application-software development is concerned. This means that there is no need to rewrite Windows or any security software to take advantage of this chipset design. The Microsoft Pluton approach will benefit from “over-the-air” software updates which, for Windows users, will come as part of the “Patch Tuesday” update cycle.

More users will stand to benefit from “secure-element” computing including those who custom-build their computer systems or buy “white-label” desktop computer systems from independent computer stores.

As well, Linux users will stand to benefit due to efforts to make this open-source and available to that operating-system platform. In the same context, it could allow increasingly-secure computing to be part of the operating system and could open up standard secure computing approaches for Linux-derived “open-frame” computer platforms like Google’s ChromeOS or Android.

Here, the idea of a secure element integrated within a CPU chip die isn’t just for digital-rights-management anymore. It answers the common business and consumer need for stronger data security, user privacy, business confidentiality and operational robustness. There is also the goal of achieving secure computing from the local processing silicon to the cloud for online computing needs.

Microsoft hasn’t opened up regarding whether the Pluton trusted-computing design will be available to all silicon vendors or whether there are plans to open-source the design. But this could lead to an increasingly-robust secure-element approach for Windows and other computing platforms.

Zoom to introduce end-to-end encryption

Articles

Zoom (MacOS) multi-party video conference screenshot

Zoom to provide end-to-end encryption for those video conferences

Zoom end-to-end encryption is finally rolling out next week | Android Authority

Zoom to preview free end-to-end encryption for meetings | ITNews

Zoom Is Adding End-To-End Encryption to Your Endless Meetings | Gizmodo

Zoom finally rolls out end-to-end encryption, but you have to enable it | Mashable

From the horse’s mouth

Zoom

Zoom Rolling Out End-to-End Encryption Offering (Blog Post)

My Comments

Since the COVID-19 coronavirus plague had us housebound even for work or school, we have ended up using videoconferencing platforms more frequently for work, school and social life. The most popular of these platforms ended up being Zoom which effectively became a generic trademark for multiparty videoconferencing.

But the computer press and consumer-privacy regulators identified that most of these videoconferencing platforms had security and user-privacy / company-confidentiality weaknesses. One of these that has beset Zoom was the lack of end-to-end encryption for multiparty videocalls. This ended up being a key issue due to most of us ending using these platforms more frequently and the increased use of Zoom and similar platforms for medical and legal telexonsultations.

Now Zoom, as part of its recent Zoomtopia feature-launch multiparty videoconference, has launched a number of new features for their platform. These include virtual participant layouts similar to what Microsoft Teams is offering.

But the important one here is to facilitate end-to-end encryption during multiparty videoconferences. This will be available across all of Zoom’s user base, whether free or paid. For the first 30 days from next week, it will be a technical preview so they can know of any bugs in the system.

The end-to-end encryption is based around the meeting host rather than Zoom generating the keypairs for the encryption protocol, which would occur as a videoconference is started and as users come on board. It is a feature that Zoom end-users would need to enable at account level and also activate for each meeting they wish to keep secure. That is different from WhatsApp where end-to-end encryption occurs by default and in a hands-off manner.

At the moment, updated native Zoom clients will support the end-to-end encryption – you won’t have support for it on Zoom Web experiences or third-party devices and services that work with Zoom like the smart displays or Facebook’s Portal TV videophone. This situation will be revised as Zoom releases newer APIs and software that answers thsi need.

If a meeting is operating with end-to-end encryption, there will be a green shield with a lock symbol in the upper left corner to indicate that this is the case. They can click on the icon to bring up a verification code and have that confirmed by the meeting host reading it out loud.

Free users will be required to use SMS-based verification when they set up their account for end-to-end encryption. This is a similar user experience to what a lot of online services are doing where there is a mobile phone number as a second factor of authenticity.

At least Zoom is taking steps towards making its multiparty videoconference platform more safe and secure for everyone.

A call to attention now exists regarding videoconferencing platform security

Article

Zoom (MacOS) multi-party video conference screenshot

A call to action is now taking place regarding the data security and user privacy of video conferencing platforms

Privacy watchdogs urge videoconferencing services to boost privacy protections | We Live Security

From the horse’s mouth

Officer Of The Privacy Commissioner Of Canada

Joint statement on global privacy expectations of Video Teleconferencing companies (English / Français)

Press Release (English, Français)

Office Of The Australian Information Commissioner

Global privacy expectations of video teleconference providers – with open letter

Federal Data Protection And Information Commissioner (Switzerland)

Audio And Video Conferencing Systems – Privacy Resource factsheet (English, Français, Deutsch, Italiano)

Open Letter (PDF)

Information Commissioner’s Office (United Kingdom)

Global privacy expectations of video teleconference providers

Open Letter (PDF)

My Comments

Thanks to the COVID-19 coronavirus plague, we are making increased use of various videoconferencing platforms for our work, education, healthcare, religious and social reasons.

This has been facilitated through the use of applications like Zoom, Skype, Microsoft Teams and HouseParty. It also includes “over-the-top” text-chat and Internet-telephony apps like Apple’s Facetime, Facebook’s Messenger, WhatsApp and Viber for this kind of communication, thanks to them opening up or having established multi-party audio/video conferencing or “party-line” communications facilities.

Security issues have been raised by various experts in the field about these platforms with some finding that there are platforms that aren’t fit for purpose in today’s use cases thanks to gaping holes in the platform’s security and privacy setup. In some cases, the software hasn’t been maintained in a manner as to prevent security risks taking place.

As well, there have been some high-profile “Zoombombing” attacks on video conferences in recent times. This is where inappropriate, usually pornographic, images have been thrown up in to these video conferences to embarrass the participants with one of these occurring during a court hearing and one disrupting an Australian open forum about reenergising tourism.

This has led to the public data-protection and privacy authorities in Australia, Canada, Gibraltar, Hong Kong, Switzerland and the United Kingdom writing an open letter to Microsoft, Cisco, Zoom, HouseParty and Google addressing these issues. I also see this relevant to any company who is running a text-based “chat” or similar service that offers group-chatting or party-line functionality or adapts their IP-based one-to-one audio/video telephony platform for multi-party calls.

Some of these issues are very similar to what has been raised over the last 10 years thanks to an increase in our use of online services and cloud computing in our daily lives.This included data security under a highly-mobile computing environment with a heterogeny of computing devices and online services; along with the issue of data sovereignty in a globalised business world.

One of the key issues is data security. This is about having proper data-security safeguards in place such as end-to-end encryption for communications traffic; improved access control like strong passwords, two-factor authentication or modern device-based authentication approaches like device PINs and biometrics.

There will also be the requirement to factor in handling of sensitive data like telehealth appointments between medical/allied-health specialists and their patients. Similarly data security in the context of videoconferencing will also encompass the management of a platform’s abilities to share files, Weblinks, secondary screens and other media beyond the video-audio feed.

As well, a “secure by design and default” approach should prohibit the ability to share resources including screenviews unless the person managing the videoconference gives the go-ahead for the person offering the resource. If there is a resource-preview mechanism, the previews should only be available to the person in charge of the video conference.

Another key issue is user privacy including business confidentiality. There will be a requirement for a videoconferencing platform to have “privacy by design and default”. It is similar to the core data-security operating principle of least privilege. It encompasses strong default access controls along with features like announcing new participants when they join a multi-party video conference; use of waiting rooms, muting the microphone and camera when you join a video conference with you having to deliberately enable them to have your voice and video part of the conference; an option to blur out backgrounds or use substitute backgrounds; use of substitute still images like account avatars in lieu of a video feed when the camera is muted; and the like.

There will also be a requirement to allow businesses to comply with user-privacy obligations like enabling them to seek users’ express consent before participating. It also includes a requirement for the platform to minimise the capture of data to what is necessary to provide the service. That may include things like limiting unnecessary synchronsing of contact lists for example.

Another issue is for the platforms to to “know their audience” or know what kind of users are using their platform. This is for them to properly provide these services in a privacy-focused way. It applies especially to use of the platform by children and vulnerable user groups; or where the platform is being used in a sensitive use setting like education, health or religion.

As well it encompasses where a videoconferencing platform is used or has its data handled within a jurisdiction that doesn’t respect fundamental human rights and civil liberties. This risk will increase more as countries succumb to populist rule and strongman politics and they forget the idea of these rights. In this case, participants face an increased exposure to various risks associated with these jurisdictions especially if the conversation is about a controversial topic or activity or they are a member of a people group targeted by the oppressive regime.

Another issue being raised is transparency and fairness. Here this is about what data is being collected by the platform, how it is being used, whom it is shared with including the jurisdictions they are based in along with why it is being collected. It doesn’t matter whether it is important or not. The transparency about data use within the platform also affects what happens whenever the platform is evolved and the kind of impact any change would have.

The last point is to provide each of the end-users effective control over their experience with the videoconferencing platforms. Here, an organisation or user group may determine that a particular videoconferencing platform like Zoom or Skype is the order of the day for their needs. But the users need to be able to know whether location data is being collected or whether the videoconference is tracking their engagement, or whether it is being recorded or transcribed.

I would add to this letter the issue of the platform’s user-friendliness from provisioning new users through all stages of establishing and managing a videoconference. This is of concern with videoconference platforms being used by young children or older-generation people who have had limited exposure to newer technologies. It also includes efforts to make the platform accessible to all abilities.

This is relevant to the security and user privacy of a videoconferencing platform due to simplifying the ability for the videoconference hosts and participants to maintain effective control of their experience. Here, if a platform’s user interface is difficult to use safely. videoconference hosts and participants will end up opting for insecure setups this making themselves vulnerable.

For example, consistent and less-confusing function icons or colours would be required for the software’s controls; along with proper standardised  “mapping” of controls on hardware devices to particular functions. Or there could be a user-interface option that always exposes the essential call-management controls at the bottom of the user’s screen during a videocall.

This issue has come to my mind due to regularly participating in a Skype videoconference session with my church’s Bible-study group. Most of the members of that group were of older generations who weren’t necessarily technology-literate. Here, I have had to explain what icons to click or tap on to enable the camera or microphone during the videoconference and even was starting it earlier to “walk” participants through using Skype. Here, it would be about calling out buttons on the screen that have particular icons for particular functions like enabling the camera or microphone or selecting the front or back camera on their device.

At least the public-service efforts have come about to raise the consistent security and privacy problems associated with the increased use of videoconferencing software.

Apple advises against Webcam shields on its newer Macbooks–could this be a trend that affects new low-profile laptops?

Article

Apple MacBook Pro running MacOS X Mavericks - press picture courtesy of Apple

Apple advises against using camera covers on their recent MacBooks.

Apple: Closing MacBooks with camera covers leads to display damage | Bleeping Computer

Previous coverage on HomeNetworking01.info

Keeping hackers away from your Webcam and microphone

My Comments

Apple has lately advised its MacBook owners to avoid buying and using accessory Webcam covers on their computers.

These Webcam shields are being seen as a security asset thanks to malware being used to activate the Webcam and microphone to surveil the computer’s user. But Apple advises against them due to the MacBook having the Webcam integrated with the circuitry for the screen and built in a very fragile manner. They also mention that the Webcam is used by macOS as an ambient light sensor and for advanced camera functionality.

Dell XPS 13 9360 8th Generation clamshell Ultrabook

with similar advice that could apply to other low-profile thin-bezel laptops like the Dell XPS 13

They recommend that if you use a device to obfuscate your Webcam, you use something as thin as a piece of ordinary printing paper and isn’t adhesive. This is because the adhesive can ruin your camera’s picture quality when you want to use it. As well, they recommend that you remove the camera-cover device before you close up your MacBook at the end of your computing session.

I also see this as a key trend that will affect other low-profile laptop computers like Ultrabooks and 2-in-1s that have very thin screen bezels like recent Dell XPS 13s. This is due to manufacturers designing the in-lid electronics in a more integrated manner so as to reduce the lid’s profile. Let’s not forget that with an increasing number of computers, the Webcam is part of facial-recognition-based device-level authentication if its operating system supports this function.

But you still need to protect your privacy when dealing with your laptop’s, all-in-one’s or monitor’s integrated Webcam and microphone.

Primarily, this is about proper computer housekeeping advice like making sure the computer’s operating system, applications, security software and any other software is up-to-date and with the latest security patches. As well, make sure that you know what is installed on your computer and that you don’t install software or click on links that you aren’t sure of.

You may find that your computer or monitor with the integrated Webcam will have some hardware security measures for that camera. This will be in the form of a shutter as used with some Lenovo equipment or a hardware switch that disables the camera as used with some HP equipment. Or the camera will have a tally light that glows when it is in use which is part of the camera’s hardware design. Here, make use of these features to protect your privacy. But you may find that these features may not affect what happens with your computer’s built-in microphone.

As well, you may find that your computer’s operating system or desktop security software has the ability to monitor or control which software has access to your Webcam, microphone or other sensors your computer is equipped with. Here, they may come with this functionality as part of a continual software update cycle. Let’s not forget that some Web browsers may bake camera-use detection in to their functionality as part of a major feature upgrade.

MacOS users should look at Apple’s support page for what they can do while Windows 10 users can look at Microsoft’s support page on this topic. Here, this kind of control is part of the fact that today’s desktop and mobile operating systems are being designed for security.

If your operating system or desktop security software doesn’t have this functionality, you may find third-party software for your computing platform that has oversight of your Webcam and microphone. One example for MacOS is Oversight which notifies you if the camera or microphone are being used, with the ability to detect software that “piggybacks” on to legitimate video-conferencing software to record your conversations. But you need to do some research about these apps before you consider downloading them.

Even if you are dealing with a recent MacBook or low-profile laptop computer, you can make sure your computer’s Webcam and integrated microphone isn’t being turned into a listening device.

More companies participate in Confidential Computing Consortium

Article

Facebook, AMD, Nvidia Join Confidential Computing Consortium | SDx Central

AMD, Facebook et Nvidia rejoignent une initiative qui veut protéger la mémoire vive de nos équipements  (AMD, NVIDIA and Facebook join an initiatiative to protect the live memory of our equipment) | O1Net.com (France – French language / Langue française)

From the horse’s mouth

Confidential Computing Consortium

Web site

My Comments

Some of online life’s household names are becoming part of the Confidential Computing Consortium. Here, AMD, Facebook, NVIDIA are part of this consortium which is a driver towards secure computing which is becoming more of a requirement these days.

What is the Confidential Computing Consortium

This is an industry consortium driven by the Linux Foundation to provide open standards for secure computing in all use cases.

It is about creating a standard software-development kits that are about secure software execution. This is to allow software to run in a hardware-based Trusted Execution Environment that is completely secure. It is also about writing this code to work independent of the system’s silicon manufacturer and to work across the common microarchitectures like ARM, RISC-V and x86.

This is becoming of importance nowadays with malware being written to take advantage of data being held within a computing device’s volatile random-access memory. One example of this include RAM-scraping malware targeted at point-of-sale / property-management systems that steal customers’ payment-card data while a transaction is in progress. Another example are the recent discoveries by Apple that a significant number of familiar iOS apps are snooping on the user’s iPhone or iPad Clipboard with their iPhones without the knowledge and consent of the user.

As well, in this day and age, most software implements various forms of “memory-to-memory” data transfer for many common activities like cutting and pasting. There is also the fact that an increasing number of apps are implementing context-sensitive functionality like conversion or translation for content that a user selects or even for something a user has loaded in to their device.

In most secure-computing setups, data is encrypted “in-transit” while it moves between computer systems and “at rest” while it exists on non-volatile secondary storage like mechanical hard disks or solid-state storage. But it isn’t encrypted while it is in use by a piece of computer software to fulfil that program’s purposes. This is leading to these kind of exploits like RAM-scraping malware.

The Confidential Computing Consortium is about encrypting the data that is held within RAM and allowing the user to grant software that they trust access to that encrypted data. Primarily it will be about consent-driven relevance-focused secure data use for the end-users.

But the idea is to assure not just the security and privacy of a user’s data but allow multiple applications on a server-class computer to run in a secure manner. This is increasingly important with the use of online services and cloud computing where data belonging to multiple users is being processed concurrently on the same physical computer.

This is even relevant to home and personal computing, including the use of online services and the Internet of Things. It is highly relevant with authenticating with online services or facilitating online transactions; as well as assuring end-users and consumers of data privacy. As well, most of us are heading towards telehealth and at-home care which involves the handling of more personally-sensitive information relating to our health through the use of common personal-computing devices.

The fact that Facebook is on board is due to the fact the social network’s users make use of social sign-on by that platform to sign up with or log in to various online services. In this case, it would be about protecting user-authentication tokens that move between Facebook and the online service during the sign-up or log-in phase.

As well,  Facebook has two fingers in the consumer online messaging space in the form of Facebook Messenger and WhatsApp products and both these services feature end-to-end encryption with WhatsApp having this feature enabled by default. Here, they want users to be sure that the messages during, say, a WhatsApp session stay encrypted even in the device’s RAM rather than just between devices and within the device’s non-volatile storage.

I see the Confidential Computing Consortium as underscoring a new vector within the data security concept with this vector representing the data that is in the computer’s memory while it is being processed. Here, it could be about establishing secure consent-driven access to data worked on during a computing session, including increased protection of highly-sensitive business and personal data.

Safe computing practices in the coronavirus age

Coronavirus Covid-19

The coronavirus plague is having us at home, inside and online more….
(iStock by Getty Images)

The Covid-19 coronavirus plague is changing our habits more and more as we stay at home to avoid the virus or avoid spreading it onwards. Now we are strongly relying on our home networks and the Internet to perform our work, continue studying and connect with others in our social circles.

But this state of affairs is drawing out its own cyber-security risks, with computing devices being vulnerable to malware and the existence of hastily-written software being preferred of tasks like videoconferencing. Not to mention the risk of an increasing flow of fake news and disinformation about this disease.

What can we do?

General IT security

But we need to be extra vigilant about our data security and personal privacy

The general IT security measures are very important even in this coronavirus age. Here, you need to make sure that all the software on your computing devices, including their operating systems are up-to-date and have the latest patches. It also applies to your network, TV set-top and Internet-of-Things hardware where you need to make sure the firmware is up-to-date. The best way to achieve this is to have the devices automatically download and install the revised software themselves.

As well, managing the passwords for our online services and our devices properly prevents the risk of data and identity theft. It may even be a good idea to use a password vault program to manage our passwords which may prevent us from reusing them across services.  Similarly using a word processor to keep a list of your passwords which is saved on removeable media and printed out, with both the hard and electronic copy kept in a secure location may also work wonders here.

Make sure that your computer is running a desktop / endpoint security program, even if it is the one that is part of the operating system. Similarly, using an on-demand scanning tool like Malwarebytes can work as a way to check for questionable software. As well, you may have to check the software that is installed on all of the computing devices is what you are using and even verify with multiple knowledgeable people if that program that is the “talk of the town” should be on your computer.

If you are signing up with new online services, it may even be a better idea to implement social sign-on with established credential pools like Google, Facebook or Microsoft. These setups implement a token between the credential pool and the online service as the authentication factor rather than a separate username and password that you create.

As well, you will be using the Webcam more frequently on your computing devices. The security issue with the Webcam and microphone is more important with computing setups that have the Webcam integrated in the computer or monitor, like with portable computing devices, “all-in-one” computers or monitors equipped with Webcams.

Here, you need to be careful of which programs are having access to the Webcam and microphone on your device. Here, if newly-installed software asks for use of your camera or microphone and it is out of touch with the way the software works, deny access to the camera or microphone when it asks for their use.

If you install a health-department-supplied tracking app as part of your government’s contact-tracing and disease-management efforts, remember to remove this app as soon as the coronavirus crisis is over. Doing this will protect your privacy once there is no real need to manage the disease.

Email and messaging security

Your email and messaging platforms will become an increased security risk at this time thanks to phishing including business email compromise. I have covered this issue in a previous article after helping someone reclaim their email service account after a successful phishing attempt.

An email or message would be a phishing attempt if the email isn’t commensurate with proper business writing standards for your country, has a sense of urgency about it and is too good to be true. Once you receive these emails, it is prudent to report them then delete them forthwith.

In the case of email addresses from official organisations, make sure that the domain name represents the organisation’s proper domain name. This is something that is exactly like the domain name they would use for their Web presence, although email addresses may have the domain name part of the address following the “ @ “ symbol prepended with a server identifier like “mail” or “email”. As well, there should be nothing appended to the domain name.

Also, be familiar with particular domain-name structures for official organisation clusters like the civil / public service, international organisations and academia when you open email or surf the Web. These will typically use protected high-level domain name suffixes like “.gov”, “.int” or “.edu” and won’t use common domain name suffixes like “ .com “. This will help with identifying whether a site or a sender is the proper authority or not.

Messaging and video-conferencing

Increasingly as we stay home due to the risk of catching or spreading the coronavirus plague, we are relying on messaging and video-conferencing software more frequently to communicate with each other. For example, families and communities are using video-conferencing software like Zoom or Skype to make a virtual “get-together” with each other thanks to these platforms’ support for many-to-many videocalls.

But as we rely on this software more, we need to make sure that our privacy, business confidentiality and data security is protected. This is becoming more important as we engage with our doctors, whether they be general practitioners or specialists, “over the wire” and reveal our medical issues to them that way.

If you value privacy, look towards using an online communications platform that implements end-to-end encryption. Infact, most of the respected “over-the-top” communications platforms like WhatsApp, Viber, Skype and iMessage offer this feature for 1:1 conversations between users on the same platform. Some, like WhatsApp and Viber offer this same feature for group conversations between users on that same platform.

Video-conferencing software like Zoom and Skype

When you are hosting a video-conference using Zoom, Skype or similar platforms, be familiar with any meeting-setup and meeting-management features that the platform offers. If the platform uses a Weblink to join a video-conference that you can share, use email or a messaging platform to share that link with potential participants. Avoid posting this on the Social Web so you keep gatecrashers from your meeting or class.

As well, if the platform supports password-protected meeting entry, use this feature to limit who can join the meeting. Here, it is also a good idea to send the password as a separate message from the meeting’s Weblink.

Some platforms like Zoom offer a waiting-room function which requires potential participants to wait and be vetted by the conference’s moderator before they can participate. As well these platforms may have a meeting-lockout so no more people can participate in the video-conference. Here, you use this function when all the participants that you expect are present in the meeting.

You need to regulate the screen sharing feature that your platform offers which allows meeting participants to share currently-running app or desktop user interfaces. Here, you may have the ability to limit this function to the moderator’s computer or a specified participant’s computer. Here this will prevent people from showing offensive imagery or videos to all the meeting’s participants. As well, you may also need to regulate access to any file-sharing functionality that the platform offers in order to prevent the video conference becoming a vector for spreading malware or offensive material.

Fake news and disinformation

Just like with the elections that count, the coronavirus issue has brought about its fair share of fake news and disinformation.

Here, I would recommend that you use trusted news sources like the respected public-service broadcasters for information about this plague. As well, I would recommend that you visit respected health-information sites including those offered “from the horse’s mouth” by local, regional or national government agencies for the latest information.

As well, trust your “gut reaction” when it comes to material that is posted online about the coronavirus plague, including the availability of necessary food or medical supplies. Here, he careful of content that is “out of reality” or plays on your emotions. The same attitude should also apply when it comes to buying essential supplies online and you are concerned about the availability and price of these supplies.

Conclusion

As we spend more time indoors and online thanks to the coronavirus, we need to keep our computing equipment including our tablets and smartphones running securely to protect our data and our privacy.