Tag: data security

Amnesty International reports on recent email phishing attacks

30/12/2018 Current and Future Trends, Data security No Comments

Article

How Hackers Bypass Gmail 2FA at Scale | Motherboard

Hacker spoofing bypasses 2FA security in Gmail, targets secure email services | ZDNet

My Comments

Recently, it has been revealed that hackers were attacking users of secure email sites by compromising the two-factor authentication that these sites implement.

This has been found to be an attack perpetrated by nation-states against journalists, human-rights defenders, non-government organisations and their allies in the Middle East and North Africa over 2017 and 2018. Here, this user base were using GMail and Yahoo Mail Webmail services and Protonmail and Tutanota secure Webmail services that were compromised. This is because the Webmail setup typically allowed for a client-independent portable email front.

What was going on was that a phishing page was asking for the users’ email and password but this would trigger the software’s two-factor authentication routine. But the user interface was “steered” via a fake page asking for the one-time password that the user would transcribe from their mobile phone which would receive this value via text messaging. It then led to the creation of an app password, typically used for third-party apps to use the service, but was used by the hacker to sustain control of the user’s email account.

Oh yeah, there was the SSL authentication which would show a “green padlock” icon on the user’s Web browser, making the user think that they were safe. But the phishing that took place was facilitated using fake domain names that sounded and looked like the real domain names.

This loophole exploited the use of the “intact key” or “green padlock” symbol in a Web browser’s user-interface to indicate that the SSL certificate was intact and that the interaction with the Website is safe thanks to HTTPS. But users may not know they are with the wrong Website, which is the breeding ground for phishing attempts.

The other weakness that was called out was the requirement for end-users to transcribe the one-time password from an SMS message, software token app or hardware token in order to phish the account. This was aggravated through the use of an app password to allow third-party app access to the service. What is being preferred as a secure 2FA solution was a security key kept in the possession of the end-user that connects to the user’s host device via USB, Bluetooth or NFC.

Most of us can easily relate this process to using an ATM to take cash out of our account or a payment terminal to pay for goods or services using our plastic cards. Here, to facilitate the transaction, you have to present your card by inserting it in or touching it on an identified spot on the ATM or payment terminal then enter your PIN number in to the same machine.

Extended Validation SSL site as identified on Microsoft Edge address bar -

Extended Validation SSL site as identified on Microsoft Edge – notice the organisation’s legal name appearing in green text

The Websites that high-risk end-users rely on can use Extended Validation SSL or Organisation-based SSL certificates and other authentication measures to verify the Website they are visiting is the correct one. Extended Validation SSL has a stronger certificate that verifies the organisation it is associated with and implements the strongest encryption available for HTTPS. The user experience here will have a green bar in the browser’s address bar along with the typical padlock icon while the organisation’s legal name is written in the address bar before the URL. The Organisation-based SSL certificate doesn’t have the green bar or text on the user interface but lists the organisation’s legal name in the address bar. But some browsers like recent Chrome versions don’t implement the green highlighting of the legal name for EV SSL certificates.

This also includes the organisations keeping tabs on their Internet “real estate” of domain names to identify typosquatting risks and, perhaps, make further “land grabs” of domain names if they can afford it.  This is in conjunction with efforts like what Amnesty International were doing with Protonmail and Tutamota where they are made aware of fake sites and are given legal assistance to take them down.

Then browsers and similar user agents could highlight domain names in a more distinct manner so users can know where they are at. This would be more important with email clients or browsers implemented on “reduced-user-interface” platforms like mobile operating systems. As well, end-users in high-security-risk user groups could be trained to be aware of the domains associated with Websites they are visiting. Mobile browsers pitched to smartphones can also implement a way to show the organisation’s legal name on the user interface such as a caret-identified drop-down interface that comes alive with Organisational Validated or Extended Validated SSL certificates.

Webmail-based user interfaces and similar high-risk online services could move towards use of “transcription-free” two-factor authentication like FIDO-U2F-compliant security keys including software keys run on mobile platforms to provide a secure login user experience.

Similarly, token-based authentication could be the way to go for app-to-service authentication especially as we use native-client software to interact with online services. This avoids the creation of persistent “app passwords” to facilitate native client access to online services. Here I would see this as being important as something to be investigated as part working towards secure client-based email setups, especially as the client-based email provides a platform-native user interface for your email.

Each of these approaches has to be looked at in a manner to work with small and medium organisations who don’t have their own IT staff. This is more so as this class of organisation sees itself as “grown up” when it uses cloud-based line-of-business software. The issue here is to assure that authorised users have secure access to the proper service they are authorised to use.

This situation that Amnesty International raised could also bring forward the idea of non-profit entities that underscore data security for independent media and civil society. Here, it could be about extending and bolstering the Electronic Frontier Foundation’s efforts or building up legal-action funds and lawyer teams to provide legal remedies against cyber-attacks.

What is now being realised is data security has now become a human-rights issue rather than an economic necessity.

What can be done to support secure email?

19/06/2018 Data security No Comments

Personal and business Internet users are showing interest in the concept of secure email. This is to assure that confidential emails only end up being viewed by the eyes of their intended recipients.

It is being driven by issues relating to confidential personal and business information being leaked to the Web along with a common personal worry regarding government surveillance in the age of terrorism and extremism. Along with this, activists, journalists and the like are wanting to rely on secure communications to pass through critical information in areas that are hostile to freedom of speech and the press. In some cases, people travelling through countries known to be hostile to freedom of speech like Russia and China have been encouraged to keep their data highly secure due to the espionage taking place in these countries.

Compose Email or New Email form

More work needs to be done on secure email

There is a slow increasing prevalence of secure email platforms appearing on the Web. These platforms such as the Swiss-based ProtonMail and the secure iteration of Google’s GMail service are dependent on a Web-based user interface. Along with this, most of us are implementing instant-messaging platforms like WhatsApp, Viber and Telegram to send personally-confidential material to each other.

But they offer a series of features intended to assure personal privacy and corporate data security. They offer end-to-end encryption for the emails at rest (while they are on the servers pending delivery) and in transit (while they are being moved between servers). They also offer the ability for users to send seif-destructing emails that don’t stay in the recipient’s or the sender’s storage space after they are read unlike with conventional emails which stay in the user’s storage space after being sent or read. These self-destructing emails cannot even be forwarded to others or printed out (although it could be feasible to take a screenshot of that email and print or forward it). Some of these setups even have the ability to detect screenshots and let the sender know if the recipient took one of a confidential email. As well the metadata about the emails isn’t held on the servers.

But there are current limitations associated with these services. One of these is that the privacy features are only available to users who subscribe to the same email platform. This is because the common standards for secure email such as S/MIME, PGP and GnuPG only support basic key-based encryption and authentication abilities and the common email protocols like IMAP and POP3 don’t support email-handling control at the message level. As well, these services rely on a Webmail interface and require users to click on links sent as part of standard emails to view the secure messages if they aren’t part of that system.

There are certain features that need to be added to IMAP4 to allow for secure email handling. One of these is to permit message-level email control to permit self-destructing emails and to allow the sender to limit how the recipient can handle the messages. But the message-control features may run against legal-archive and similar requirements that will be asked of for business correspondence. In this situation, there may be the ability to indicate to senders or recipients if the emails are being archived as a matter of course and message-level email control can’t be assured.

Of course this may be about a newer feature-level email standard, preferably open-source or managed by many in computing academia and industry, to add this kind of secure email control.

Then there is the requirement to encourage the use of encrypted-email / authenticated-email standards like S/MIME or PGP within email endpoints, both Web-based and client-based. It will also include the ability for users to create asymmetrical key pairs and store their correspondents’ public keys in their contact manager software. There will also have to be the ability to support automated public-key discovery as a new contact is added, something currently feasible with encrypted messaging platforms that maintain their own contact directory.

Other questions that will come up in the course of building a secure email ecosystem is how the encryption keys are stored on the end-user’s system and whether an end-user needs to create new encryption keys when they change devices along with how to store them securely. This can be of concern with most computer users who typically maintain multiple devices, typically a smartphone along with a regular desktop or laptop computer and / or a tablet of the iPad ilk. Similarly there is the fact that one may not have the same computing device for the long haul, typically due to replacing one that has broken down or upgrading to a better-performing device.

There will also have to be the issue of security and portability thanks to issues like users temporarily using different computer devices such as friends’ computers, work / school computers or public computers. Here, it may be a question about where contact-specific encryption keys are held, whether on a server or on removable media along with how email sessions are handled on these temporary setups.

What will need to happen is for email platforms to support various secure-messaging features in a manner that can exist on a level playing field and without the need for correspondents to be on the same provider.

Fingerprint scanning now available as a reasonably-priced add-on for your computer

31/05/2018 Computer Accessories, Data security, Security Accessories No Comments

Article

Fujitsu Lifebook S-Series SH771 trackpad and fingerprint reader

Fingerprint readers like what this Fujitsu laptop is equipped with are now available at a reasonable price for your existing computer

Best fingerprint scanners that let you use Windows Hello on older PCs | Windows Central

My Comments

I have reviewed a significant number of laptop computers, usually business-grade laptops, that have come with integrated fingerprint readers. This is a feature that is becoming common with premium and business-grade laptops but is also showing up on premium-grade smartphones and tablets.

Here, this allows you to scan your finger to log in to your device, with it able to be used as an additional authentication factor or as the only authentication factor. During my tenure with the various fingerprint-reader-equipped laptops, I set things up so that I log in to these computers using my fingerprint and this provided an effectively simplified but secure login experience to the system and online services like Facebook.

But you can have this with your existing Windows computer thanks to add-on fingerprint scanners that are reasonably priced. Similarly a fingerprint-reader attachment may be the answer if your have a computer with an integrated fingerprint reader but this has failed or has compatibility issues with Windows 10.

Previously, purchasing a fingerprint scanner for your desktop or existing laptop was about buying a piece of overpriced hardware pitched for larger enterprises who care about their security. As well, there was the risk of compatibility issues with these devices and the operating system.

Now these reasonably-priced devices called out in the Windows Central article are designed to work out of the box with Windows 10 especially with its class drivers and Hello simplified-login functionality. In most cases, these devices are a single-piece device that plugs in to the host computer’s USB port. This can work well for most laptop users and could work well with a desktop computer if you use a USB hub or a directly-connected peripheral that has USB hub functionality and at least one USB port flush with its outer surface.

The BIO-Key EcoID device exists on the end of a USB cable which would be a boon for desktop users but may be considered as something that gets in the way for laptop users. It also has the one-touch scan setup which is a similar user experience to what happens for smartphones or recent-issue laptops like the Dell XPS 13 2-in-1 convertible Ultrabook.

All of these USB fingerprint readers listed in the article are available through Amazon with most of them retailing for between AUD$30-AUD$45 per unit. At least it is a way to set up your existing Windows 10 computer for one-touch secure logon without needing to fork out for a business-grade laptop. You also then have that same level of security if you bought a business-grade laptop with this feature but you want to equip your desktop PC or gaming rig with this level of security.

You can find out what Alexa has recorded

30/05/2018 Data security, Home / building automation and security, Voice-driven home assistant platforms No Comments

Article

Amazon Echo on kitchen bench press photo courtesy of Amazon USA

You can find out what Amazon Alexa has recorded through your Echo device

How To Find Out What Your Alexa Is Recording | Lifehacker

My Comments

Recently, the computer press went in to overdrive about an Amazon Echo setup that unintentionally recorded and forwarded a family’s private conversation and forwarded it to someone in Seattle. Here, the big question that was asked was what was your Amazon Echo or similar smart speaker device recording without you knowing.

Amazon Echo, Google Home and similar voice-driven home-assistant platforms require a smart speaker that is part of the platform to hear for a “wake word” which is a keyword that wakes up these devices and has them listening. Then these devices capture and interpret what you say after that “wake word” in order to perform their function. One of the functions that these devices may perform is audio messaging where they could record a user’s message and pass that message on to another user on the same platform.

I had previously covered the issue of these voice-driven assistants being at risk of nuisance triggering including mentioning about the XBox game console supporting a voice assistant that triggered when an adman on a TV commercial called out a spot-special for the games console by saying “XBox On Sale” or “XBox On Special”.

Here, I recommended the use of a manual “call button” to make these devices ready to listen when you are ready or a “microphone mute” toggle to prevent your device being falsely triggered. As well, I recommended a visual indicator on the device that signals when it is listening. This is a practice mainly done with voice-assistant functionality that is part of a video peripheral’s feature set or software that runs on a platform computing device. Google’s Home smart speaker instead uses the microphone-mute button to allow you to control its microphone.

But you can check what Alexa has been recording from your Amazon Echo or other Alexa-compatible speaker device and delete private material that she shouldn’t have captured. This is also useful if you are troubleshooting one of these devices, identifying misunderstood instructions or are developing an Alexa Skill for the Alexa ecosystem.

  1. Here you launch the Amazon Alexa mobile-platform app on your smartphone. If you are using the Amazon Alexa Website (http://alexa.amazon.com) as previously mentioned on this site, there is a similar procedure to go about identifying your Amazon Echo sessions.
  2. Then you tap on the hamburger-shaped “advanced operation” icon on the top left of your screen.
  3. Tap on Settings to bring up a Settings menu for your setup. Go to the History option in the Alexa Account section of that menu.
  4. Here, you will see a list of interactions with any Alexa-ecosystem hardware or software front-end related to your Amazon account. These will be categorised by what has been understood and what hasn’t been understood. There is an option to filter the interaction list by date, which is handy if you have made heavy use of your Amazon Echo device through the months and years.

You can play each interaction to be sure of what your Alexa device or software has recorded. With these interactions, the current version of the interface only allows you to delete each unwanted interaction on by one. The effect of the deletion is that the interaction, including the voice recording, disappears from your account and the Amazon servers. But this could degrade your Amazon Alexa experience due to it not having much data to work on for its machine-learning abilities.

Here, at least with the Amazon Alexa ecosystem, you have some control over what has been recorded so you can remove potentially-private conversations from that ecosystem.

Another attempt at security for the Internet Of Things

24/10/2017 Current and Future Trends, Data security, Internet Of Things No Comments

Article

Google and others back Internet of Things security push | Engadget

My Comments

An issue that is perplexing the personal-computing scene is data security and user privacy in the context of dedicated-function devices including the Internet Of Things. This has lately come to the fore thanks to the KRACK WPA2 wireless-network security exploit which mainly affects Wi-Fi client devices. In this situation, it would be of concern regarding these devices due to the fact that the device vendors and the chipset vendors don’t regularly update the software for their devices.

But ARM Holdings, a British chipmaker behind the ARM RISC microarchitecture used in mobile devices and most dedicated-function devices has joined with Google Cloud Platform and others to push for an Internet-Of-Things data security platform. This is very relevant because the ARM RISC microarchitecture satisfies the needs of dedicated-function device designs due to the ability to yield greater functionalities using lean power requirements compared to traditional microarchitecture.

Here, the effort is centred around open-source firmware known as “Firmware-M” that is to be pitched for ARMv8-M CPUs. The Platform Security Architecture will allow the ability for hardware / software / cloud-system designers to tackle IoT threat models and analyse the firmware with a security angle. This means that they can work towards hardware and firmware architectures that have a “best-practice approach” for security and user-friendliness for devices likely to be used by the typical householder.

There is still the issue of assuring software maintenance over the lifecycle of the typical IoT and dedicated-function device. This will include how newer updated firmware should be deployed to existing devices and how often such updates should take place. It will also have to include practices associated with maintaining devices abandoned by their vendors such as when a vendor ceases to exist or changes hands or a device reaches end-of-life.

But at least it is another effort by industry to answer the data-security and user-privacy realities associated with the Internet Of Things.

KRACK WPA2 Wi-Fi vulnerability–what is affected

19/10/2017 Data security, Network Management, Wireless Networking No Comments
Telstra Gateway Frontier modem router press picture courtesy of Telstra

A wireless router set up in the ordinary way as a base station or hub for your home network isn’t at risk of the KRACK exploit

The computing press has been awash with articles regarding a recently-discovered security vulnerability that affects Wi-Fi wireless networks. This vulnerability, known as KRACK, compromises the authentication process associated with the WPA2 security protocols that most Wi-Fi home and business networks implement.

What is affected

But it mainly affects client devices like laptops, smartphones and the Internet of Things which connect to Wi-Fi networks using WPA2 facilitated through software that isn’t patched against this risk.

It also can affect Wi-Fi infrastructure devices that serve as a repeater or client-side bridge in a Wi-Fi wireless network segment – this encompasses Wi-Fi client bridges used to connect desktop computers or smart TVs equipped with Ethernet connectivity to a Wi-Fi network, Wi-Fi repeaters, distributed-Wi-Fi setups and mobile devices implementing “bridge-to-Wi-Fi” functionality.

Data security risks

The security and privacy risk occurs at the media level of your network connection which would represent the Wi-Fi wireless link to the access point / router.

If you use higher-level encryption protocols like gaining access to Internet resources through SSL / TLS encryption which includes “https” Webpages, implementing a client-based VPN or using IP telecommunications apps that implement end-to-end encryption, you have reduced the risk factor for your data security that the KRACK vulnerability poses. Access to LAN-based resources like your NAS or printer from within your network can be a risk with Wi-Fi clients that aren’t patched to mitigate this risk as with unencrypted Internet resources.

Current remediation efforts

This situation has been rectified for regular computers running Windows 7 onwards through a patch that Microsoft rolled out as part of the October 10 security update. Here Microsoft didn’t disclose this vulnerability until there was a chance for all of industry to have patches in beta testing or “ready to roll”.

Just lately (1 November 2017 AEDT) Apple released patches for MacOS High Sierra, Sierra and El Capitan versions; and iOS 11.1 (iPhone 7 onwards, iPad Pro 9.7″ (2016) onwards); tvOS 11.1 (4K Apple TV onwards) and watchOS 11.1 to address this issue.  The Intego Mac Security Blog post that I culled these details from was miffed about the fact that the large number of iPhone 6 and earlier devices that are still in operation have not been addressed. I would also extend this concern to the older iPad and iPod Touch devices that are also in operation such as those iPod Touches the kids use or the iPad in your living room.

On December 2 2017 US PT, Apple released the iOS 11.2 update which provided this protection for iPhone 5S, iPhone SE and all model variants of the iPhone 6. This update also applies to the 12.9″ iPad Pro (1st generation), the iPad (6th generation), the iPad Air, the iPad Mini 2 onwards; and the iPod Touch (6th generation).

Other regular-computer and mobile operating systems are being updated with security patches that are coming online through the next two months or are already online.

There will also be various pieces of client-side security software that will be updated with extra code that provides extra defence against the KRACK Wi-Fi vulnerability for both the software and the host computer.

The devices you will find as having a strong risk factor for your network are “dedicated-purpose” network devices like Internet AV devices, “smart-home” devices, videosurveillance cameras and the like that don’t benefit from regular firmware updates. This will mainly affect those devices that manufacturers are declaring “end-of-support” on or a lot of “white-box” devices sold by multiple vendors. But check your devices’ manufacturers’ Websites for new firmware that will patch the device against this vulnerability.

This will not affect the typical home or other small network that is based around a wireless router. Nor will it affect networks that implement multiple Wi-Fi access points connected to a wired (Ethernet or HomePlug) backbone. This is because you are dealing with devices that serve as a Wi-Fi base station for that particular wireless network segment.

But if you have Wi-Fi infrastructure devices using some sort of repeater or bridge functionality, check with the vendor for a firmware update for your device.

As well wireless router and access-point manufacturers, especially those courting the business and allied markets, will offer newer firmware to harden their devices against the KRACK vulnerability.

Remember that well-designed devices will implement at best an automatic software-update process or you may have to visit your device’s Settings, Setup or Configuration menu to download new firmware.

As well, the Wi-Fi Alliance have updated their certification tests for network hardware to be sure that such hardware isn’t vulnerable to this risk. These certification tests will be required before a product can show the Wi-Fi Certified logos and will affect products being introduced from this month onwards.

Keeping your network secure until new software is available

If you run Wi-Fi network infrastructure hardware that implements repeater or bridge functionality, disable the Wi-Fi client mode or repeater mode on these devices until your device is running firmware hardened against this vulnerability.

HomePlug AV adaptor

The HomePlug powerline adaptor can help with mitigating risks associated with the KRACK WPA2 Wi-Fi network vulnerability

You may also have to set up your home network with multiple access points linked to a wired backbone as the preferred way to extend the network’s coverage or reach to another building as has been done with this man-cave. A good example of this is to use a HomePlug wireless access point kit which uses your home’s AC wiring for this purpose. If you use a “Mi-Fi” mobile router that supports Wi-Fi data offload, disable this functionality until it is loaded with the latest secure firmware.

Similarly, use a wired network connection such as Ethernet or HomePlug to connect sessile devices like desktop computers, Smart TVs, printers and the like to your home network. This may not be feasible with those devices that only support Wi-Fi connectivity as their network-connection option.

Conclusion

You can mitigate the risk of the KRACK WPA2 Wi-Fi network vulnerability as long as you keep your computer equipment running software that is patched with the latest security updates.

If you use Wi-Fi infrastructure devices that work as a Wi-Fi client like repeaters or client bridges, these have to be updated with the latest firmware from their vendor. As well, use of wired backbones and access points for expanding your home network’s coverage will achieve the proper level of security against this risk if you are dealing with client-capable Wi-Fi infrastructure devices that aren’t updated with the latest software.

Let’s not forget that higher-level encryption protocols like SSL or client-side VPNs do mitigate the risk of data theft through this vulnerability.

Updated (1 November 2017 AEDT) to reflect the latest concerning what is happening with the Apple platforms.

Updated (11 December 2017 AEDT) to reflect the increased number of iPhones and iPads protected against the KRACK exploit by the iOS 11.2 update

Controlled folder access to come to Windows 10 soon

30/06/2017 Data security, Operating Systems, Systèmes d'exploitation No Comments

Articles 

Windows 10 preview build protects your files from ransomware | Engadget

Windows 10 will hide your important files from ransomware soon | The Verge

Microsoft previews new ransomware protection feature | Bit-Tech

From the horse’s mouth

Microsoft

Windows Experience blog post

My Comments

If you have heard the news over the last few month, you will have heard about ransomware activity in the form of the WannaCry and Petya ransomware variants getting at major installations including the NHS and the Victorian traffic-camera infrastructure.

But Microsoft has attacked this problem in a different way by providing application-level control for the next major update for Windows 10 – the Fall Creator’s Update. It is part of refining the Windows Defender security software that is part of the operating system for improved business-tier data security.

It is a very similar process to what Android and iOS do in relation to allowing the user to control what apps have access to what resources and features on their smartphone or tablet. It is also in contrast to how regular-computer operating systems work when it comes to controlling the level of access granted to a computer’s file system, where users or groups of users are typically granted particular levels of access to folders or files.

Here, once you enable the Controlled Folder Access function, applications can’t add, modify or delete files in folders where this control exists unless the app is part of a user-defined whitelist.  The routine for adding an app to the whitelist will be very similar to what you do on your iPhone or Android phone when it comes to allowing that app you newly downloaded to have access to a particular resource on your smartphone and could occur during installation or when you first use that app after enabling Controlled Folders.

By default, this feature would be enabled for the Documents, Desktop, Pictures and Videos folder trees but you can enable this feature for other folders such as “ad-hoc” work folders created on the system disk or other fixed storage on your system. I am not sure is this is also to apply to removable storage like USB hard disks, USB memory keys or SD cards, or whether this can also apply to network and online storage like your NAS shares or your Dropbox folder.

A question that can also be raised is whether the Controlled Folder feature will also provide a way to limit access to other system resources by apps. Here, it could range from access to network and Internet resources to prevent spyware from “phoning home” or to limit access to your computer’s Webcam and microphone to limit use of these resources as a surveillance tool.

Security flaw found in HP laptop audio driver software–how to fix it

17/05/2017 Computer Hardware Design, Data security, Laptop, Notebook and Netbook Computers No Comments

Article

HP Elitebook Folio laptop press picture courtesy of HP

Check that your driver software is up to date on these HP business laptops.

HP issues fix for ‘keylogger’ found on several laptop models | ZDNet

Keylogger Found in Audio Driver of HP Laptops | BleepingComputer

From the horse’s mouth

Hewlett-Packard

Download site – identify your computer’s model number in the form on this site to obtain a list of the relevant software

My Comments and further information

Just lately, a security weakness had been found in the Conexant HD Audio driver software that was delivered to a large number of recently-issued HP business-tier laptop computers. It may also affect some of their consumer-focused laptops that run this driver. Let’s not forget the reality that some of you may have one of the affected HP business laptops as a consumer-tier computer, perhaps due to buying an ex-lease or surplus unit. This weakness affects driver versions 10.0.46 and prior versions.

The problem manifests with the MicTray64 program that comes with this software package. Here, it is a keyboard monitor that listens for particular keystrokes in order to allow the user to control the computer’s integrated microphone. But, thanks to debug code being left in the production release of this software, the software becomes a keylogger, writing keystrokes to a cleartext logfile (MicTray.log) in the Users\Public folder on the computer’s system drive.

But what is a monitor program for those of you who want to know? It is a program that “listens” to activity from or to a peripheral for a particular event then instigates a pre-defined activity when a particular event occurs. In most cases, you see these programs in operation when you use a printer or scanner with your computer and they show up a print-job status message when you print or catch scan jobs you started from your scanner’s control surface.

If you have this version of the Conexant HD Audio driver software on your HP business laptop, you may have to use Task Manager to kill the MicTray64 keyboard-monitor process, as well as removing it from the Scheduled Tasks list. It may also be worth moving the MicTray64.exe file out of the Windows\System32 folder and the MicTray.log file out of the Users\Public folder on the system disk to somewhere else on your computer’s file system and see if the computer is still stable and, if so, delete those files.

An update that rectifies this problem has been made available on the HP.com driver download site but should also be made available through Windows Update. This will be available on Wednesday 10 May 2017 (US Pacific Time) for those machines made since 2016 and on Friday 12 May 2017 (US Pacific Time) for systems made during 2015.

HP may have software installed on these systems to check for newer versions of the software drivers, which may simplify the process of updating your computer’s drivers and firmware.

This is endemic of a situation where driver software and system firmware is rushed out the door without being checked that it is production-ready and good-quality software. This software ends up as part of the distribution software image that comes with newer computer equipment, including appearing on the recovery partition of your computer’s system disk.

A good practice is to regularly check your computer manufacturer’s Website for newer drivers and firmware for your computer at regular intervals and install this software. This practice will allow you to have a computer that runs in a more secure and stable manner, perhaps gaining some extra functionality that answers current requirements along the way.

HP to introduce virtual-hardware security for Web browsing

15/02/2017 Computer setups, Current and Future Trends, Data security No Comments

Article

HP Elitebook x360 G2 press picture courtesy of HP USA

HP Elitebook x360 G2 – to be equipped for Sure Click

HP hardens EliteBook protection with Sure Click, a browser secured in virtual hardware | PC World

From the horse’s mouth

HP

Press Release

Bromium

Press Release

Video explaining the Bromium micro-virtualisation approach (Click / Tap to play)

My Comments

A very common attack gateway that has been identified for endpoint computing devices, especially regular desktop or laptop computers, is the Web browser. It is because the browser is essentially the “viewport” to the Internet for most reading-based tasks.

But most recent browser versions have implemented software-based “hardening” against the various Internet-based attacks. This is in conjunction with the main desktop operating systems being “hardened” through each and every update and patch automatically applied. These updates facilitate practices like “sandboxing” where software of questionable provenance is effectively corralled in a logical quarantine area with minimal privileges so it doesn’t affect the rest of the system.

HP and Bromium have developed a “virtual hardware” approach where a browsing session can take place in a separate “logical computer”, a concept being driven by the multi-core CPUs that are the hub of today’s computer systems. This can provide improved security by using the hardware approach that is effectively with its own operating system and has the data destroyed at the end of a session. Here, it restricts the effect of malware like ransomware picked up during a “drive-by” download because the software can only run within that separate “logical computer”.

At the moment, this feature is being initially rolled out to the Elitebook x360 G2 convertible business laptop but will trickle out across the next generation of “Elite” premium manageable business computers to be launched in the second half of the year. It will work only with Microsoft’s Internet Explorer and Google’s open-source Chromium browser at the moment. What I would like to see happen is that this feature is able to be “trickled-down” to HP’s consumer, education and small-business product ranges but in a more “self-service” manner because households, small businesses and volunteer-driven community organisations could equally benefit from this feature.

Z-Wave to be the first standards group to mandate secure IoT

18/11/2016 Home / building automation and security, Internet Of Things No Comments

Article

Nest Learning Thermostat courtesy of Nest Labs

Z-Wave now requires a secure-by-design approach for Internet Of Things devices using its technology like these room thermostats

IoT gear will need better security to win a Z-Wave badge | PC World

Previous coverage on this topic

A Clear Reality Surfaces With The Internet Of Things

EU wants to establish a security baseline for Internet Of Things

August responds to its smart lock’s security weaknesses by patching its software

My Comments

The recent Mirai botnet denial-of-service cyber-attacks including an attack against a data-security journalist have raised serious questions regarding designing the software for dedicated-purpose devices like network-infrastructure devices and the “Internet Of Things”. Here, it raised concern regarding default or hard-coded passwords along with poorly-maintained software as being a few of the issues that lead to lax security proactices for the dedicated-purpose devices.

This led to the European Union wanting to call a baseline standard for device-software security, with a customer-facing indicator similar to energy-efficiency labels on appliances or nutrition-rating labels on foodstuffs. Here, the standard wanted to look at “default-for-security” setup routines along with the issue of software maintenance.

But Z-Wave who establish a short-range wireless-connectivity standard for home-automation devices have had to answer this issue by requiring that devices using this technology implement their Security 2 (S2) secure-operations framework before the device can wear the Z-Wave logo. It is similar to various standards logos like Dolby noise reduction, DLNA or HDMI where equipment has to be compliant to these standards before they can show these logos and customers can see that logo as an indicator of compatibility.

Here, the requirement includes the use of a human-readable PIN number and/or a machine-readable QR code for authenticating devices to a Z-Wave network. As well, Z-Wave setups must implement a strong secure key exchange along with implementation of a Transport Layer Security 1.1 data tunnel for IP setups. It is mandatory for the endpoint devices like light bulbs, light switches and thermostats along with “hub” and similar devices that connect Z-Wave devices to the home network and Internet.

A question that may be raised with certain device classes like smart locks or security systems is whether a PIN number that you set using the device’s control surface, especially an “administrator” or “master” PIN number, does constitute a PIN number for the Security 2 (S2) framework.

At the moment, what Z-Wave have done is to address the issue of “secure setup” for this class of device. They haven’t dealt with the issue of software maintenance which is still a thorn in the side for dedicated-function devices and this may be something that others in the industry may need to deal with.