Computer Tech Mobile

Online security in the shopping season

Online security should always be the focus of anyone using the internet.  Yet major holidays tend to be more important seeing as there are many who only shop online around this time. Black Friday especially is a big draw-card.

The fact is that online security is part common sense and part preventative maintenance. If you get the basics right, then you’re 90% there …

Richard Henderson @ Fortinet has put a great list together that will help perennial shoppers, daily buyers and those just dipping their toes into the water.

Take a look …

Computer Tech Mobile

Apple Pay thoughts and security

The big Apple event on Tuesday wasn’t that big a deal in my opinion. The iPhone 6 was expected although not in 2 editions but that is the least that Apple had to do to catch up with Android. Apple watch? Meh … sleek industrial design and interesting software options but ultimately I still think that smart watches in general have a limited use.

Couple of reasons why:

  • short battery life – until you start using one of these, you won’t realise what an issue that is ( my current Seiko is going on for 4 years now on the same battery, 1 day on a charge for smart watches is a problem)
  • you don’t get any health info while your watch is on charge because you can’t wear it at the same time as charging
  • security – smart watches can be hacked; do you really want your health and personal info out there for all to see? And how do the vendors handle your privacy and security?
  • you still need a phone to use in conjunction with most smart watches – no phone? limited usefulness …

So onto the main crux of this article: Apple’s new NFC-based payment system. What’s new? Well pretty much nothing that hasn’t been done before – think Google Wallet. They have some  good integration with Touch ID on the iPhone, and the on-board security chip, along with agreements with a number of American banks and the 3 main payment networks AMEX, Mastercard and Visa. The only benefit Apple brings to the table is a large user base as well as a knack for popularizing systems like this. And that is it.

With Apple stepping into the NFC payments game we will see a large increase in the people using it. This of course will lead to security and privacy concerns, not only in potential vulnerabilities in the technology itself and how criminals can exploit them. But also in how users may not secure their devices, and therefore their electronic wallets, properly. Some banks are even putting transaction limits in place as a form of risk analysis/protection.

Although the recent nude celebrities hack on iCloud wasn’t entirely Apple’s fault, this episode goes to show how far end users and vendors have to go to understand personal security and privacy properly. And that’s the crux of the matter. We’ll also have to see how country-specific consumer rights, privacy and legal laws impact on a global product like this.

But security is always a primary concern. And while Apple has promised fixes to iCloud and iOS in the next period, the perception of Apple’s security is not good, and their track record is similarly poor.

Anyone can spend $1500 buying Elcomsoft’s iOS Forensic Toolkit or $79 on the Phone Password Breaker and proceed to literally pull an iPhone apart, getting access to pretty much every single piece of data you’ve ever put on there. There are also cheaper ( $0 ) hacks out there involving an iPhone and iTunes running on a Windows machine. Scary stuff when you’re storing potentially vital personal data on your phone.

So what else can we say about Apple Pay? There are some more practical issues:

  • battery life of your phone will suffer with having NFC switched on all the time ( I can’t see people turning it on and off when required )
  • there is a much wider attack surface with NFC being switched on all the time, potentially leading to a security nightmare
  • the payment industry is actually moving away from NFC towards bio-metrics
  • many US retailers and banks have cited the high cost of NFC-enabled payment equipment as a reason for not going all in

So, while I think Apple could be moderately successful with something like this, there are significant issues to be worked out in the practical implementation. We’ll see …

Computer Tech Mobile

Windows ( XP ) and ATMs

Regular readers of this blog will know that I’ve ranted about the use of Microsoft Windows by banks in their ATMs, in the past. The idea of using one of the most insecure and targeted OS’ in existence to run what should be a very secure device, just boggles the mind. My own bank does this as well ( despite a number of complaints I’ve sent them in this regard – why aren’t they listening to me? ) and I’ve resorted to not drawing cash if possible from ATMs anymore.

There have been a number of threats to ATMs over the years with the latest being Ploutus, malware that is specifically designed with ATMs in mind.The original version required that a keyboard be hooked up to the ATM but the latest versions only required a mobile-based USB connection and an sms before the ATM spills its guts – literally.

In the past, there was a smidgen of mitigation because Windows XP ( which is the most used version of Windows in ATMs ) still received updates but as of April 8th next month, that will no longer be the case. Microsoft is finally putting XP out to pasture which is a pity as in the last decade, XP has arguably been the most successful version of Windows. Not only is XP support ending, but so is Microsoft Security Essentials, Microsoft’s in-house AV tool which provides some protection against Bad Stuff(tm).

There is talk of using Linux or Windows 7 in ATMs going forward but financial firms are glacial in their migration projects so I don’t expect anything here soon. That means that ATMs using Windows XP will be at a greater security risk than before ( considering it was already bad, this is not good news ).

One of the biggest issues in migrating to newer versions of Windows is application compatibility. There are some options here:

  • rewrite your app to be Windows Vista/7( and above)-compliant
  • run your app in a sandbox like vmWare ThinApp, Citrix XenApp or Microsoft Terminal Services RemoteApp ( not supported for IE-6 apps )
  • migrate to a different platform eg. Linux
  • dump the app and use something else

In all cases, the cost and effort of change is huge for many and so they will keep on running the current systems, possibly to a security detriment. Even upgrading to Windows 7 may not be good enough seeing as main support ends in July 2015 and it becomes end-of-life in 2020 ( which is not that far away ).

It’s a tongue twister but this is one of the issues corporates and others, struggle with as a result of their use of commercial software. Two of the bugbears that many commercial companies accuse Open Source of, fragmentation and large choice, is suddenly a very big pro when it comes to issues like this. EOL for Ubuntu? Switch to Centos … EOL for SugarCRM? Switch to openCRX. And so on.

Suddenly that “too much choice” argument is falling by the wayside ( as if it ever held any water ) and FOSS is looking as attractive as ever. For those running Windows XP in office environments, a standard Linux desktop is quite an adequate replacement for Windows XP. Unless you run some discrete/proprietary apps, Linux should be on your migration radar.

Computer Tech Mobile

The people we trust

The right to privacy in the new social era is no longer a given. In fact, many say that you should expect to have no privacy with information made available on the Internet. I’m a half and half kinda guy in this argument. On the one hand, pure social media information should be assumed to be public although service providers in this area have to give users control over privacy settings. On the other hand, Internet services deemed to be private by the majority ( eg. email services, closed forums, etc. ) should be private by default and have a reasonable amount of security attached. Encrypted and salted passwords are a given.

The number of breaches in recent times of services that one expects privacy and security from however, should make you think twice about the information you put out there. Not only are service providers struggling with availability, but they’re also struggling with security and privacy. And many service providers are still not salting their password databases, which means that compromised service providers run the very real risk of having their databases hacked, and published online.

Trust is something else completely. This is where we expect the service provider to consider our personal information and data sacred. Microsoft’s recent admission that it snooped on emails inside a Hotmail users’ mailbox without permission, is a stunning indictment of service providers’ accountability when it comes to our privacy and security. This should by all accounts, be a criminal event, no matter the fact that Microsoft owns the infrastructure that your data is stored on.

In testimony before the Privacy and Civil Liberties Oversight Board, the NSA general council Rajesh De and his colleague stated on Wednesday that the tech companies that denied giving access to user data via the PRISM program were, in fact, lying. Ok so we’re not really impressed by the NSA’s actions over the last year or so, and their track record in terms of trust stinks, however I would quite easily accept that service providers were complicit in the NSA’s collection of communications. It would be difficult to intercept comms on the scale that the NSA has without support from service providers.

Dropbox? Gmail? LinkedIn? etc. Think twice about the security and privacy of your data when storing it online. Unless it’s stored in your own private solution, your data is seemingly no longer private, even when there is a good expectation of that privacy.

UPDATE: So Microsoft have covered themselves as follows:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public.

You have it from the horses mouth – your data is not safe when stored on Microsoft’s systems.

Computer Tech Mobile

Android Security

I’ve been a keen Android user for many years now; as I am with all things Linux. I really do believe that Linux, and other associated FOSS software, has proven a great advantage for us bipedals, allowing those in a not so fortunate financial situation to still use high grade software and achieve their goals. And Linux has had what can only be described as an enviable track record with security – it hasn’t come out completely unscathed but it has remained consistently ( considering it is one of the most complex ) a very secure piece of software.  And many other FOSS software project exhibit the same vein of stability and security.

There is a whole lot of rhetoric and FUD from commercial companies regarding the use of FOSS in the enterprise,  but that is just what it is and mostly without substance. FOSS has proven itself over the years and is not only the biggest class of software used world-wide for Internet infrastructure, but it has also made huge inroads in the corporate market and is now a standard there.

So the fact that Android as a platform has become so-to-say ubiquitous is very good news. Of course, any ubiquitous platform becomes a target for crackers, malware and virus vectors ( witness the thriving market for Windows-based security issues ). And it’s clear from many sources that there is a very large proportion of bad stuff targeting Android. What’s not so clear, and has been absent almost completely from those spouting the numbers ( mostly AV companies ), is how much of this stuff is actually having an effect on Android.

And the answer is apparently very little:

So for those running Android, don’t believe the security hype – just make sure you follow good security practices when using your mobile phone or tablet ( well in fact any computing device ) and you’ll be fine.