Monday, July 27, 2015
Would you share your Wi-Fi password with your Facebook friends, or your Skype and Outlook.com contacts for that matter? Microsoft thinks you should, and so makes this a default setting of Windows 10. Welcome to the very weird and insecure world of Wi-Fi Sense. There is no official press launch for Windows 10, but there is an invite only 'fan celebration' the night that the new operating system goes public. I will be there, despite my fan status being debatable, but I will not be raising a glass to one aspect of Windows 10 that makes no sense whatsoever to me: Wi-Fi Sense. By rights this should be renamed by Microsoft to Wi-Fi No Sense At All because it really is one of the silliest things to emerge from Seattle since Windows Me.
Tuesday, July 21, 2015
An SCMagazineUK.com investigation was able to access the editable Schengen visa application forms of three totally random people, some FOUR DAYS after operating company VFS Global said a vulnerability had been fixed and the system was now secure. Visit the VFS Global website and it not only celebrates having handled 100 million visa applications but also boasts of being the world's largest outsourcing and technology services specialist for governments and diplomatic missions worldwide. It specialises in "visa and passport issuance-related administrative and non-judgemental tasks" for client governments, of which there are 45 around the world. What you won't find any mention of is what appear to be systemic failures when it comes to security. A vulnerability which first hit the media courtesy of SCMagazineUK.com contributor and veteran security journalist Davey Winder back in 2007, and led to an independent enquiry ordered by the UK Foreign Secretary, has re-emerged last week some eight years on.
People in your organisation are probably sharing passwords, using unauthorised devices and applications to access corporate data, and unauthorised cloud stores for good measure. Some won’t know this breaches company security policy, others will and won’t care. Some of the perpetrators will be on the shop floor, others around the boardroom table; this wilful disregard for secure best practice knows no pay grade boundary. Truth be told, the chances are high that people just don’t care about your carefully considered ‘security posture’ or really give one, let alone two, hoots for the day-to-day security message on a personal level whether it’s out in the field or up the executive level. Security-TrainingNow that you’ve read that admittedly somewhat ‘paint it black’ introductory paragraph, I urge you to go back and read it again.
Tuesday, July 14, 2015
Much of the talk to date has focused on how comfortable shoppers will be waving their iPhone around at the checkout, as opposed to producing a credit or debit card like everyone else. Worrying whether your fellow shoppers will regard this as cool or more akin to a "nerd wave" is, frankly, pointing your consumer anxiety in the wrong direction – you should be more concerned about how secure Apple Pay actually is. Before you even consider using Apple Pay, you should satisfy yourself that the security measures put in place by Apple bolster rather than weaken existing contactless-card safeguards.
Thursday, July 09, 2015
Eyeprints - of veins in the white, not the iris of an eye - captured via selfie are another biometric option for 2-factor security, but concerns about the implications of compromise remain. Biometric security vendor Solus has launched a selfie-based two factor authentication (2FA) system called Eyeprint which promises a low cost and 'hardware free' solution to the 2FA conundrum. Actually, the Eyeprint solution isn't hardware free but it does take the 2FA mantra of something you know, something you have to the next level. You will already have a smartphone, and you most likely already have eyes, which just leaves you needing to know how to take a selfie and remember a PIN number. But just how secure is all this fancy eye scanning stuff, especially if it's taking place on your phone?
Thursday, July 02, 2015
Enigma is the brainchild of a couple of Bitcoin entrepreneurs who, together with a MIT Media Lab researcher, have used features from the decentralized Bitcoin network architecture including an external blockchain to create what they reckon will be the ultimate peer-to-peer network for storing and running computations on data whilst keeping it completely private at the same time. Enigma will break your data up into tiny chunks and then randomly distributes meaningless bits of those to nodes in the network where the calculations are performed on each discrete lump before being returned to the user where they are put back together to form an unencrypted whole again. Obviously there is some maths involved to enable each node to do whatever computational task is required on just that miniature piece of data. Equally obviously, the more nodes there are the quicker the computing is and, importantly, the more secure this thing is as the pieces will be smaller. The Bitcoin blockchain keeps track of who has what and where by way of a metadata store, unforgeable courtesy of being copied to thousands of computers.
Action video camera vendor GoPro has announced that it is riding into the Tour de France with a promotional video to celebrate being named the official camera of the world's largest annual sporting event with a worldwide television audience of some 4 billion people, but not before the BBC reported how GoPro cameras could be used to spy on their owners. But it gets worse for GoPro, as now Pen Test Partners has also explained in a blog posting how the GoPro Studio editing software was making update requests using an unencrypted HTTP connection which could enable an attacker on public Wi-Fi to inject a potential fake malicious download code update instead. "It's fairly easy to add malicious code into pre-existing binaries and therefore we could abuse this to introduce backdoors to the victim whilst also letting them update their GoPro Studio software at the same time" the post warns.
Friday, June 26, 2015
According to the Japan Real Time blog, Toshiba is working on a ‘foolproof' quantum-cryptography system that industry analysts claim cannot be breached. Immediately this raises a number of red flags, not least the use of words such as unbreakable in relation to any encryption system, next-generation or not, and the fact that the analysts who are apparently claiming this remain unnamed in the report. SCMagazineUK.com decided to take a closer look. The Toshiba system, which starts a two-year long third-party data testing phase in August, uses photons delivered via custom fibre optic cables which are not connected to the internet. According to the unnamed analysts in the report, the one-time key is the same size as the encrypted data, so decoding without the correct key would be impossible as there will be no repeated use of the pattern. It may sound fantastical, but quantum cryptography really isn't anything new, nor has it proven to be as unbreakable as the boffins would have us believe.
Wednesday, June 24, 2015
Earlier this month, security outfit FireEye's 'FireEye as a Service' researchers out in Singapore discovered and reported on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not. I'm with Brian Krebs who, just the other week, wrote about how he has "spent the better part of the last month running a little experiment to see how much I would miss Adobe's buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much." C'mon folks, be honest now, do you really need Flash, do you really you it and would you really miss it? Let's all do the decent thing and shoot this sick beyond belief monstrosity in the head...
A couple of decades ago, in another life, I wrote a little script which would capture keystrokes and then store that data within the 'white space' of an image file. It was pretty crude, but it was also twenty years ago and to be honest nobody was really looking for stuff which was effectively hidden in plain sight that way. That way being the use of something called steganography, from the Greek steganos which means covered and graphie which means writing; so literally covered writing. I used it to good effect during my period as an explorer of networks belonging to other people, most notably when sysadmins would stay at my apartment and login to their networks in order to do a bit of housekeeping and, unknown to them at the time, give me root. Things have moved on a lot since then, and steganography has become a much more complex tool being deployed by cybercriminals.