Tag: data security

Article

Festive season security myth: "If there are no links in an email, it can’t be a phish." | NakedSecurity Blog

My Comments

I have seen this happen as part of educating people about computer security is to think before you click. Here, it is about being careful about responding to emails and Websites of doubtful provenance so you don’t become a victim of a scam or find your computer full of malware.

For example, phishing scams initially used links in the email as a hook to get people to “verify” their accounts or take similar action. But they are now using “loaded” attachments with the copy of the email not having any links or HTML to avoid being rejected by security tools that are part of email clients or the populace not taking to the bait due to the public education about phishing scams.  The hook in these situations are the attachments that are crafted to take advantage of weaknesses in the software or carry links to Web resources as mentioned below.

PDF files represent their own dangers because they can either be crafted maliciously or contain links to Web resources. This is compounded by the problem that not all PDF reader software handles Web links in a manner similar to a Web browser. For example, a lot of these programs don’t show the URL when you hover over or dwell on the link before you click.

I would personally like to see PDF and similar document viewers support the ability to link with “website-reputation” engines like what Symantec and other security-software vendors offer and show graphics that indicate if a link you are hovering on is safe or not. Similarly, search engines, website reputation agents, security scanners and similar tools could also examine PDF files for abnormal construction and questionable links.

Instead, we have to do a “reality check” regarding these emails. For example, are the emails from a company whom you have had business with or part of ongoing business with that company? Are you expecting an email to come through with attachments? Do they contain a lot of poor spelling or grammar or aren’t commensurate to the language they are meant to be written in? Do they reflect the tone of what the business and its industry is about? Simply, does the context sound too “out of this world” to be real?

This also applies to any offers provided through instant-messaging or social-network channels including the Facebook “fake-event” scams that are popping up as I have mentioned before.

But for the moment, are you sure that the link or attachment you are to click on is kosher before you click on it?

Articles

D-Link to padlock router backdoor by Halloween | PC World Business

D-Link plans firmware update to disable backdoor | The Register

From the horse’s mouth

D-Link

Update On Router Security Issue

My Comments

Recently, the computer press was awash with articles pointing to an exploit in some of the popular D-Link routers. Here, this has a computer on the local network pushing through a malformed URL to the router’s Web management page to bypass the login screen for the router’s management dashboard. This is more vulnerable with improperly-setup Wi-Fi network segments hosted by these routers or computers on the local logical network that are loaded with malware that takes advantage of this vulnerability.

Now D-Link are working towards offering revised firmware that fixes the exploit for each of the router models that are affected by this issue and is releasing this on their product support pages.

But of course, it is important to make sure that the wireless network segment that is part of your home or small-business network is secure with WPA2-Personal security and a random passphrase along with an SSID that doesn’t reflect the make or model of the router. Similarly, it is good practice not to enable remote administrative access on these routers and confine administrative tasks to the local network only.

This is in addition to other good computer housekeeping practices like running anti-malware software on your regular computers and being careful what you click on.

For that matter, I would encourage people to keep the firmware on their routers or other network hardware up-to-date in the same way we would keep operating systems and application software up-to-date.

Article (Broadcast transcript)

HACKED! – Four Corners (ABC) Video and transcript through this link

Previous coverage on HomeNetworking01.info

Interview and Presentation–Security Issues associated with cloud-based computing (Interview with Alastair MacGibbon and Brahman Thyagalingham )

Symantec Symposium 2012 – My Observations From This Event

My Comments

I had watched the Four Corners “Hacked” broadcast concerning data security and cyber espionage, which encompassed the issue of the cyber attacks affecting nations as a whole.

The show had touched on a few key points, some of which were raised in the previous events that I attended. Here, it underscored the factor of hacking being part of espionage by nation-states like China. The targets of this espionage were intellectual-property belonging to private-sector companies or government departments, especially where military information was involved.

Example incidents include the recent theft of blueprints for ASIO’s new offices along with a cyber attack against Codan who is an electronics supplier to Australian and allied defence forces. The tactics that were used against Codan included use of a public-access Wi-Fi network to install malware on a laptop belonging to a representative of that company when they visited China, along with a “spear-phishing” attack on their email. It also underscored the fact that it is not the entity’s computer networks that are at risk but the “crown jewels” i.e. the key intellectual property that belongs to the entity.

The same show also underscored the use of malware to target essential-services systems like a nuclear enrichment plant in Iran and an Indian telecommunications satellite. Here, they raised the spectre of electricity grids, telecommunications backbones and similar infrastructure being targeted by sophisticated cyber attacks. This becomes more real as most essential-services systems become computer-controlled and connected to the Internet and I would like to see the issue of these systems designed with fail-safe operation in mind such as working offline and providing the core services at known specifications if things go wrong online.

Later on in this show, Alastair MacGibbon had called for the Australian government to require businesses and other organisations to publicly disclose cyber attacks and wanted this across the board for all entities. This was previously underscored by him through the interview and presentation where he described Australia’s data protection laws as being careless as typical of the “She’ll Be Right” nation.

The Australian Government had improved their data-protection laws by tabling bills that require cyber-attack disclosure on the larger public companies rather than all companies.

As well, the issue of cyber espionage by nation-states was being considered as the equivalent of wartime activities like nuclear war and treatment of civillians and needed to be tackled on an international level in a similar way that other similar wartime activities have been dealt with. Personally, I see the latest cyber-attacks, especially those emanating from countries that were behind the Iron Curtain, as the makings of another “Cold War” and these have to be treated accordingly.

Netgear DG834G ADSL2 wireless router

So, you’re ready to set up that nice and convenient home wireless network.  You’ve got the router out of the box and you’re ready to plug everything in, but there’s just one problem.  You’re concerned, or maybe you’re even a little bit paranoid.  You’re wondering who out there might be able to pick up the signal.  Setting up a wireless network in your home can be very simple, but it can also pose a few risks if you get lazy or you’re using older wireless router technology.  Once you’ve set up the router, yes, other people with wireless devices may be able to detect the signal you’re broadcasting, but depending on the precautions you’ve taken, you can determine what happens when they see that signal.

 Whether you live in an apartment complex, a tightly-packed subdivision, or on some rural street, there will always be opportunity for someone to detect your wireless signal.  All they have to do is look for it.  Does it mean they’ll try to connect to it?  No.  There isn’t any reason to panic about who might be able to see it.  It doesn’t matter.  What matters are your security and the preventative measures you’ve put in place to block unwanted access when that stray individual does decide to try to connect to your network and attempts to access your internet or your computer.

 Securing your internet connection and your personal network is a relatively simple thing to do.  Many newer routers or modem/ router combos will take you through a setup wizard that should walk you through activating security protocols, such as WEP or WPA and changing the SSID (network name).  Setup wizards aren’t necessarily the best option when setting up your wireless network’s security, but if you don’t know what you’re doing, it can work.  Just remember to change the SSID and avoid using WEP security.

 Why?  Not changing you router’s default SSID can be a sign to outsiders that the user who set up the network has no idea what they’re doing.  It can make that wireless signal a potential target.  You can change it to whatever you want.  As for WEP, it’s useless and simple to break through.  A tech savvy 8-year-old could break through WEP security in minutes.  If you’re in the market for a wireless router (or already purchased one) and one of the device’s selling points is WEP security, stay far away.  Instead, look for devices offering WPA security, or better yet, WPA2 security.

Then set an encryption key password that isn’t your dog’s name, your street address, the town where you grew up, or something equally lame and easy to crack.  Make it tough.  Make it long.   Don’t make it what you think is tough, make it genuinely tough.  Try a password creation exercise.  Write out strings of numbers and letters or a piece of paper.  Or write out a series of words that have no apparent or logical connection to one another.  Or make up words that aren’t in any dictionary.  Be creative and don’t worry if you can’t remember it or not.

Since we’re talking about a home network, it isn’t a big deal if you write down your insane password and store it somewhere, preferably in a place you will remember.  That way, when you have additional devices you want to grant internet access to, whip it out, you’re ready to go, and no paranoia.

Editor’s note:

Most recently-issued ISP-supplied or retail wireless routers are implementing a “secure by default” strategy which makes the process of creating a secure wireless network simple for most of us.

This includes strategies like WPS easy-setup routines with a random passphrase, and an increasing number of routers provided by the ISPs or telcos as customer-premises equipment use SSIDs that typically have a service marketing name followed by three or four random digits such as “BIGPOND1223 or OPTUS4345. These strategies relate the experience of a secure home network to that of installing or using a typical door lock, something most of us identify with regularly.

Guest post by Jack Pike Television lover and guru of all things Cable, spends his time blogging with Time Warner Cable when not enjoying the tube.

Article

Engineers rebuild HTTP as a faster Web foundation | Deep Tech – CNET News

My Comments

HTTP has been the standard transport protocol since the dawn of the World Wide Web and effectively became the backbone for most file transfer and streaming activities of the modern Internet.

But there is a desire in the Internet industry to bring this standard to 2.0 and bring some major improvements to this standard to cater for today’s Internet reality.

Data multiplexing between client and server

One key capability is to implement the SPDY protocol which supports multiplexing of data between the Web server and the Web browser. This is to provide for faster and efficient data throughput by shifting the data using one “channel”; as well as providing support for managing quality-of-service.

This may involve the deployment of audio and video material under a high quality-of-service while text data and software downloads can pass through on an “as-needed” basis.

Inherent end-to-end encryption support

The SPDY protocol that is to underpin HTTP 2.0 also provides support for end-to-end transport-layer encryption. But Microsoft wanted this feature to be optional so it is implemented according to the needs, such as a blog not needing encryption whereas an Internet banking or device management Web page would need this level of encryption.

But I would also like to support in this feature the ability not just to encrypt data but to authenticate the same data using a digital signature. Here, it could permit users to be sure that the Web site they are visiting or the file they are downloading is authentic and would be especially of importance with field-updated BIOS and firmware deployments, as I raised in my commentary about a lawsuit involving HP concerning this practice and its security ramifications.

Caching support at network level

Another feature that is being proposed is to provide for network-level caching of HTTP data. This is intended to provide for environments like mobile networks where it could be desirable to cache data in the service network rather than on the user’s mobile device; rather than introducing proxy servers to provide this kind of caching.

It will also allow mobile and embedded devices to avoid the requirement to have Web caches for quick loading of Web pages. Of course this will not be needed for those Web pages that have regularly-updated data such as Web dashboards, Web mail or similar applications.

Other issues

It also is worth investigating whether the HTTP 2.0 standard could support applications like client-server email delivery or advanced document authoring such as version control.

Of course this development will take a long time to achieve and will require some form of HTTP 1.x backward compatibility so there isn’t the loss of continuity through an upgrade cycle.

Introduction

The CEBit 2012 IT show in Hannover, Germany is one of may technology trade shows covering the European area where there is a strong crossover between product classes. It was positioned at work-based computing but is competing with Mobile World Congress in Barcelona, Spain (smartphones), Internationaler Funkaustellung in Berlin, Gernamy (consumer electronics) and Photokina in Cologne, Germany (digital imaging) as a European showcase platform for consumer and small-business information technology.

It has carried through the overall key trend of work-home computing and the always-mobile business life. This is more so with the emphasis on portable computing equipment and equipment to service the data cloud.

Key issues and trends in computing

Privacy and security in the online age

A key issue that has been raised through this year’s CEBIT show in Hannover is how US-based companies are limiting data privacy in the eyes of Europeans. Regular readers of HomeNetworking01.info may have seen articles being published about this issue, especially an industry interview that I did with Alastair MacGibbon and Brahman Thyagalingham, concerning the responsibility of service providers if something goes awry with the data in their care.

This was brought about through the recent privacy and security changes at Google as well as an increase of data being held “in the cloud”. There was also an underscoring of the improtance of trust concerning data in the Internet Age.

Technological trends

PCs and laptops

These “regular” computers have not been forgotten about even though there is a lot of interest in the tablets and smartphones. It has been led about through the imminent release by Microsoft of Windows 8 which is available as a consumer-preview version at the time of writing. One feature pitched about this operating system is that it was intended to bridge home and work computing lifestyles with mechanisms like Windows To Go “boot-from-USB” setups.

As well, there was the imminent release of the Ivy Bridge chipset and processor families by Intel with these offing graphics that are just close to “gaming quality” but with economical power consumption. There was a “Super SSD” drive also being premiered which had 512Gb of solid-state storage in a 2.5” housing for the current generation of portable computers.

This year has seen more of the Ultrabooks being released by the various manufacturers and in different variants.

An example of this was Acer showing their new range of equipment with the Timeline Ultra M3. This was a so-called “15-inch Ultrabook” which had an optical drive and NVIDIA GeForce discrete graphics, with variants available with a hard disk or solid-state-drive only for their secondary storage.

Acer had also premiered their V3 lineup of 14”, 15” and 17” budget-friendly laptops with the 17” variant having a Blu-Ray optical drive. They also premiered the V5 11”, 14” and 15” slim mainstream laptops with the 14” and 15” varieties being equipped with discrete graphics as an option.

Toshiba also fielded a variant of the Portege Z830-120 Ultrabook with WiDi Wi-Fi-driven display link technology and was promising a “brown-goods” LCD TV with WiDi display functionality. I would say that this function may appear in a higher-end LCD chassis which serves a particular run of high-end lounge-room sets.

Of course, there would be some computers that are positioned as “bridge” units between the regular laptop and the tablet, typically being equipped with a touchscreen and a keyboard at least. Examples of these would include ASUS “Transformer” variants with detachable keyboards or “swivel-head” convertible laptops. These could be based on either an ARM RISC microarchitecture or the classic Intel microarchitecture with them running Windows or Android. They would be pitched at those of us who like the touchscreen tablet experience but also want to use a proper keyboard to create content.

Smartphones and Tablets

The smartphone and tablet scene at this fair has been affected by two issues. One is Apple releasing their third-generation iPad with the higher-resolution “Retina” display and A5x graphics subsystem concurrently with this show, setting the cat among the pigeons. Of course, the patent fights are still on with Apple over tablet-computer design with some of the lawsuits still not resolved.

The other is that a lot of the smartphones and tablets destined for Europe were premiered at the previous Mobile World Congress in Barcelona, Spain. But there were a lot of the tablets being exhibited in Hannover.

Key features that were being put up included near-field communications which enabled “tap-and-go” payment and data transfer for these devices, larger screens for this device class, LTE wireless-broadband and DLNA implementation. As well, the Android devices are being released with quad-core processors, keyboard docks, glasses-free 3D, full HD graphics and other more attractive features.

As for LTE 4G wireless broadband, an increasing number of European mobile carriers are rolling out LTE networks through their market areas and are launching phones, tablets and modems that work with this technology.

Conclusion

What it sounds like is that the CEBit show is underpinning a mobile cloud-driven computing environment which is to support “regular” and mobile usage classes.

Through this last year, there has been an increasing number of incidents where customers of high-profile companies have had their identifying data compromised. One of these incidents that put everyone in the IT world “on notice”, especially those involved in consuner-facing IT like ISPs or online services, was the Sony PlayStation Network / Qriocity break-in by LulzSec / Anonymous.

Close to that, I had attended a presentation and interview concerning the security of public computing services hosted by Alastair MacGibbon and Brahman Thiyagalingham from SAI Global, the report which you can see here.

The BigPond incident

Over the last weekend, Telstra had suffered a security breach that compromised the user details of some of their BigPond Internet-service customer base. This was through a customer-service search Webpage being exposed to the public Internet rather than Telstra’s own customer-service network.

The privacy compromise was discovered on Friday 9 December 2011 (AEDT) and mentioned on the Whirlpool forum site. It was in the form of an in-house “bundles” search page exposed to the Web with the database containing usernames, passwords and fully-qualified email addresses of a large number of the customer base at risk.

Telstra’s response

But Telstra had responded very quickly by locking down the BigPond customer email servers and Web-based self-service front-ends while they investigated the security compromise. The customers whose data was exposed had their passwords reset with them being required to call the BigPond telephone support hotline as part of the process.

As I do maintain an email account through this service for a long time, I had taken steps to change the password on this account. This was even though I wasn’t one of the customers that was subject to the aforementioned mandatory password reset.

Telstra also maintained a live channel of communication to its customers through their own Web sites, through updates to the main media channels and through an always-running Twitter feed. Once the email system was open for business, a follow-up email broadcast was sent to all BigPond customers about what happened.

My comments on how this was handled

Like the Sony PlayStation incident, this incident was one that affected a high-profile long-established brand which, like other incumbent telecommunications-service providers, was in a position where the brand has a bittersweet connotation. Here the brand is associated with a portfolio of highly-established high-quality stable telecommunications services but has had negative associations with poor customer service and expensive telecommunications services.

What I saw of this was that after the Sony incident and similar incidents against other key brands, the IT divisions for Telstra haven’t taken any chances with the data representing their customer base. They had quickly locked down the affected services and forced the necessary password-reset procedures in order to reduce further risks to the customers; as well as keeping customers and the public in the loop through their media, Web and Social-Web channels.

The Telstra incident also emphasised the fact that the risks can come from within an affected organisation, whether through acts of carelessness or, at worst, deliberate treacherous behaviour by staff. As I have said in the previously-mentioned interview and conference article, there needs to be data protection legislation and procedures in place in Australia so that a proper response can occur when these kinds of incidents occur.