Social Media Identity Security

Tags

,

GoldThe use of Social Media Identities, have been used for a while now as an alternative to the usual username and passwords traditionally used.

When signing up for a web based service you are presented with a dialogue box asking you to sign in with one of a number of Social Media Identities, such as Facebook, Twitter, LinkedIn, Google or another service. Usually near the bottom of the dialogue box is an option to set up a user id and password.

Its common place now for users to just click one of their identities, to gain immediate access to that site. But how often do they stop and think about what the effect of that is.

Why is this important. Here is a good example:

Recently Spotify have been informing users to change their passwords:

http://security.stackexchange.com/questions/134717/spotify-password-compromised

Hi Spotify User

To protect your Spotify account, we’ve reset your password. This is because we believe it may have been compromised during a leak on another service with which you use the same password.

Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure.

What is happening is that your data is being checked against a  hack list and a cross check against their system. This is based more on the email than password.

The bit of information that is missing though is what is the other leak? Is it a recent leak and is this a published or unpublished hack list?

You can use a service such as  https://haveibeenpwned.com/ to see if your email address is in a known published list, however it cant check those lists that haven’t been published.

If your Social Account is hacked does that compromise and open up all of those linked services. Most probably.

Some simple steps to follow:

  • Don’t link everything to one Social Media Account
  • Think about using the traditional username and passwords for some services
  • Dont use the same passwords across your Social Media Identities
  • Change your passwords on a regular basis
  • Follow a good password length and characters (Alpha, Numeric, Special Characters)
  • Use an additional layer of security, see: Are you using 2 step logins

 

Social Norms: Credit and Loyalty Cards

wallet-908569_960_720A round the watercooler discussion with a collegue this morning (Graham Chastney) sparked an interesting discussion about one of lifes Social Norms. Credit and Loyalty Cards and their uses and sizes. The conversation came about as we were discussing paying for a coffee and the merits of cards vs mobile pay systems.

As a society we have over a number of years been enticed with small bits of plastic containing chips and tags for Debit/Credit Cards and Loyalty Cards.

But why is it the size it is?

Forbes have an article that looks at “How Was The Standard Size Of A Credit Card Or A Business Card Established?” The post says:

The credit card was just the business card juxtaposed to the size of the standard business card, for ease of use in the wallet.

Faisal Khan, Forbes

and goes into some of the history behind this as well as a useful infographic on the subject.

Its size has been adopted into many things such as a typical pass to get you through doors at your place of work and past Security/Reception in the morning.

In the main these have stayed the same size with a recent change to keyfob versions of Loyalty Cards, being approx a third in size to the normal cards. I have seen a few dropped and discarded keyfob versions around supermarket car parks as they have fallen off a set of keys through wear and tear.

The standard size of the card has allowed us to secure them in ways that make us comfortable such as wallets, purses, card holders.

With the move to contactless payments there has now been an increase in the variety of RFID blocking wallets availble in the marketplace to help prevent accidental contactless payments and broadcasting of your data.

We also expect to see a standard sized card when someone transacts with us as second nature.

But what is next for the card. Are cards still needed?

One could argue that the card size has changed a lot going to digital payments and not needing the card, but there is something about having that piece of plastic to make a payment with.

There are applications now available that replace your plastic loyalty cards with an barcode on your mobile device that can be scanned at the till.

Going outside of the norm and showing innovation one lady has taken the chip out of her Oyster Card (used around London to pay for and gain access to travel/tube/bus etc) and embedded them into a set of false finger nails.

One company has a single card that can replace up to eight of your cards in your wallet https://onlycoin.com/ storing the data on a chip in the card and allowing you to select the card you want to use via a simple button.

The card size is an integeral part of society and whilst there are many devices built to accept the size of the card (tills, cashpoints, wallets, etc….) it will continue to be the norm. A move to the next generation of Digital Solutions will help reduce the number of cards we carry, however it will still remain as the size of card thats easliy recognisable throughout the world.

 

 

 

 

Are you using 2 step logins?

Tags

Another report today of data being sold for sale on the Dark Web. This time O2 have had data stolen and put up for sale according to a BBC News report.

cameraSo usual changing of passwords are key to ensure that its not the same as on a list. Typically any logins and passwords for sale will be used/tested on multiple sites by hackers to check if you have used the same password on multiple sites. Good practice should be that you use different passwords on different sites to avoid anyone trying this technique, however the management of such a practice often inhibits this from being done. People may decide to install a password manager to help them navigate the miriad of logins and passwords.

Alof of sites now accept authentication via Google, Facebook or other services. However how many people take advantage of the additional security offerings by these companies.

Google and Facebook do offer a two step authentication process for any new devices that are logged into with the Google/Facebook account. This can use the same Google Authenticator application on your mobile that provides a verification code that refreshes every minute.

https://www.google.com/landing/2step/

The service can be used for other applications such as wordpress.

If you use application verification, you should spend the short time to set up 2 step authentication to add the extra layer of security to your account.

 

Pen Based Productivity Tools – The Chronodex 2016 part 2

Tags

, ,

ChronodexThe second half of the year has been released for the Chronodex by Patrick Ng.

Available at:  https://app.box.com/s/ln730mbtqhd7kkkp8aj8osknzv3pw7zd

There is still a place for journalling using a pen rather than a blog post as discussed here No Batteries Required: My Personal Journal. I am now on my 17th Journal and still going strong.

BBC Micro:Bit available for the masses

Tags

, , ,

MicroBitIts been a while now since the launch of the BBC Micro:Bit and its mission to provide year 7’s with the platform.  It is only recently being made available to the general public in batches of 90 , however this has now shifted to being able to purchase single units and development kits are also being produced/made available for pin outs and expansions. I’ve seen several dates for availability in several online shops from end of June to end of July. Most places have the Micro:Bit on pre-order only at the moment, but peripherals are available to ship.

Coming in at around £13.00 for a board its more expensive than the Pi Zero at £5.00. I was expecting something of a similar price bracket. There are some interesting projects already appearing on the web.

(Other online outlets are available) One outlet stocking the Micro:Bit shortly https://shop.pimoroni.com/products/microbit

I have placed a pre-order for one to have a go with, so will post some more about it once received. Im looking to use the Micro:Bit and Pi Zero to help my Scout Group with their Digital Maker and Digital Citizen badges.

digital

In the meantime here is an example of use from Chris Swan programming a game of Simon on it. http://blog.thestateofme.com/2016/05/15/microbit-simon/

 

State of DevOps Report 2016

Tags

,

GrowPuppet have released their latest “State of DevOps Report for 2016“.

Having read the previous couple of years these reports give a good level of what is going on across the industries and effeminately worth downloading and reading.

Highlights from the latest reports are:

  • High-performing IT organizations deploy 200 times more frequently than low performers, with 2,555 times faster lead times.
  • They have 24 times faster recovery times and three times lower change failure rates.
  • High-performing IT teams spend 50 percent less time remediating security issues.
  • And they spend 22 percent less time on unplanned work and rework.
  • Employees in high-performing teams were 2.2 times more likely to recommend their organization as a great place to work.
  • Taking a lean approach to product development (for example, splitting work into small batches and implementing customer feedback) predicts higher IT performance and less deployment pain.

Source: https://puppet.com/resources/white-paper/2016-state-of-devops-report

Configuring the Raspberry PI with Ansible and AWSCLI

Tags

, ,

PII wanted to set up my Raspberry Pi with Ansible and the AWSCLI package to allow the creation of AWS servers from the Pi.

As I was recycling a card I no longer needed reformatting the card and installing Raspbian on it seemed sensible start.

I use the SD Formatter programme to ensure that the SD Card is formatted correctly.

https://www.sdcard.org/downloads/formatter_4/

Then downloaded the latest image of Raspbian and used Win32DiskImager to install the OS onto the card.

http://www.raspberry-projects.com/pi/pi-operating-systems/win32diskimager

I have been caught out before with errors of “No space left on device” or similar so the first command I run is

 sudo raspi-config

Then select the Expand Filesystem menu option. This ensures that all the SD card is used.

A reboot is required for the changes to take effect.

The Pi is now ready to begin downloading packages.

The next task is to update and upgrade the software on the Pi using

sudo apt-get update
sudo apt-get upgrade –y

or

sudo apt-get dist-upgrade

The below will help with explaining what is the difference between upgrade and dist-upgrade

upgrade
    upgrade is used to install the newest versions of all packages
    currently installed on the system from the sources enumerated in
    /etc/apt/sources.list. Packages currently installed with new
    versions available are retrieved and upgraded; under no
    circumstances are currently installed packages removed, or packages
    not already installed retrieved and installed. New versions of
    currently installed packages that cannot be upgraded without
    changing the install status of another package will be left at
    their current version. An update must be performed first so that
    apt-get knows that new versions of packages are available.

dist-upgrade
    dist-upgrade in addition to performing the function of upgrade,
    also intelligently handles changing dependencies with new versions
    of packages; apt-get has a "smart" conflict resolution system, and
    it will attempt to upgrade the most important packages at the
    expense of less important ones if necessary. So, dist-upgrade
    command may remove some packages. The /etc/apt/sources.list file
    contains a list of locations from which to retrieve desired package
    files. See also apt_preferences(5) for a mechanism for overriding
    the general settings for individual packages.

If you want to clean up the build and remove any package files the following command can be used. This can also help save space if you have a small card.

sudo apt-get clean

After some Googling I found a good set of instructions on installing Ansible onto the Pi. As this Article says it needs some extra bits to make it work.

https://www.whiskykilo.com/install-ansible-on-rpi.html

There are a couple of steps missing below this site which I have added in below in bold.

sudo apt-get install python-dev -y

sudo apt-get install libffi-dev libssl-dev -y

cd ~

wget https://bootstrap.pypa.io/ez_setup.py -O - | sudo python

wget https://pypi.python.org/packages/f7/83/377e3dd2e95f9020dbd0dfd3c47aaa7deebe3c68d3857a4e51917146ae8b/pyasn1-0.1.9.tar.gz#md5=f00a02a631d4016818659d1cc38d229a

tar –xvzf pyasn1-0.1.9.tar.gz

cd pyasn1-0.1.9

python setup.py install

cd ~

wget http://releases.ansible.com/ansible/ansible-2.0.2.0.tar.gz

tar zxvf ansible-2.1.0.0.tar.gz

cd ansible-2.1.0.0

make

sudo make install

cd ~

It is always worth checking to see if there is a later version of the packages available and making the necessary changes to the lines above.

Next install the boto package

pip install --user boto

Next install the awscli package

sudo pip install awscli

more information on installing awscli can be found at http://docs.aws.amazon.com/cli/latest/userguide/installing.html

once installed you can then use the

aws help

command to check the installation has worked.

To configure the awscli follow the instructions at http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

assuming that you have an AWS account already.

Using the

aws configure 

command you can enter your keys. The keys below are examples only

$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: ENTER

You should now be able to use Ansible and the AWSCLI on your Raspberry PI.

Taking the ServiceNow Administrator Certification

Tags

, ,

DevelopmentIts been a while since my last blog post, mainly because of studying to take an exam following a course on ServiceNow Administration so my mind has been on passing this.

Getting back into taking exams has been an interesting process for me as I have been recently learning and practising what I have learnt for my CPD (Continual Professional Development) and Personal Development.

Right from taking exams back at school the advise given then has always stuck with me. Break the subject down into the parts needed for the exam then Learn, Revise and Test.

Back in my day (sounding old now!) we had pen and paper and index cards that were written out with crib notes. I have since moved to a mini tape recorder and then to notes on a computer, videos and online tests/practice exams. Each of these methods have their place and still in use today.

Studying for the exam, I found myself going back to the recording my notes as a good method of learning.

The internet does provide a good set of resources available to study from, such as:

  • Training Courses
  • Self-paced training modules
  • Knowledge Base’s / Wiki’s
  • Blogs
  • Forums
  • Official Documentation
  • Developer/API resources
  • Videos/Youtube
  • Demos/Test/Dev Systems to study on

I did pass the exam and am now looking at my next area of study and certification.

Keeping yourself current and up to date and recording your CPD is important. I have written some blog posts on this subject previously:

Recording your CPD
The Nature and Cycle of CPD
CPD is a two way street
A balance of Verifiable and Non-Verifiable CPD
How much CPD/Training should you be doing?

For those taking the ServiceNow Certifications this blog post is a good start on how to start learning ServiceNow:

https://community.servicenow.com/groups/developer-certification/blog/2015/09/03/learning-servicenow-from-scratch-and-prepping-for-the-certification-exam

Good luck if you are taking an exam.

Pi Zero gets a Camera

Tags

, , ,

PIRaspberry Pi have just released another 30,000 Pi Zero Units to the marketplace. Finally I have managed to order one after having the Pi Zero on my wish list for sometime now.

The demand for the Pi Zero has meant that they do not stay on the shelves long. This has created a high cost market for them on popular auction sites and suppliers have been limiting people to 1 unit only when they order (if in stock).

The folks at RasperryPi are using a different manufacturing process to that of the Pi 1,2 & 3 to keep costs down, however it looks like they are hopefully going to be keeping up with the demand.

“There are roughly 30,000 new Zeros out there today, and we’ll be making thousands more each day until demand is met.”

Thank you RasperryPi

So whats new with this Pi Zero?

The Pi Zero has had a bit of a revamp between manufacturing batches and now contains a camera connector. source: Raspberry Pi Blog

The camera connector is about £4.00 which is the same cost as the Pi (£4.00). Then there is the cost of the Camera (approx £23.00), however it does make a low cost camera unit and opens up the possibilities of the Pi Zero.

Picture below from Raspberry Pi Blog: source: Raspberry Pi Blog

OLYMPUS DIGITAL CAMERA

Just awaiting the postman now then time to do some more development stuff.

 

 

Apps – Why do you really need access to my devices camera?

Tags

, ,

cameraHow often do users of applications actually look at the permissions that are requested by an application during install or upgrade.

I recently received an update to an application on my android phone that asked for additional permissions with the upgrade it was about to perform. The permission it wanted was access to the Camera, however the accompanying upgrade notes did not include any commentary/notes on why and what it needs the camera for and there is nothing stated in the T’s and C’s.

The app in question here is Adobe Acrobat Reader. There are many applications available that have the same behaviours of asking for permissions to parts of the device, but not stating why.

Rechecking the Google Play Store notes for the App it mentions no need for the camera.

Adobe Acrobat Reader

Adobe Acrobat Reader is the free, trusted leader for reliably viewing, annotating and signing PDFs.

VIEW PDFs
• Quickly open PDF documents from email, the web or any app that supports “Share.”
• Search, scroll and zoom in and out.
• Choose Single Page, Continuous scroll or Reading mode.

ANNOTATE AND REVIEW PDFs
• Make comments on PDFs using sticky notes and drawing tools.
• Highlight and mark up text with annotation tools.

FILL AND SIGN FORMS
• Quickly fill out PDF forms by typing text into fields.
• Use your finger to e-sign any PDF document.

PRINT, STORE AND SHARE FILES
• Sign in to your free Adobe Document Cloud account.
• Connect your Dropbox account.
• Store and share files in the cloud.
• Print documents from your Android device.

IN-APP PURCHASE
Convert PDFs and organize pages on the go by subscribing to one of Adobe’s online services. You can get started without ever leaving your app, and subscriptions work across all your computers and devices.
ORGANIZE PAGES IN PDF FILES
• Subscribe to Acrobat Pro DC using In-App Purchase.
• Reorder, rotate and delete pages in your PDFs.

CREATE PDF FILES
• Subscribe to Adobe PDF Pack using In-App Purchase.
• Create PDF files.
• Convert Microsoft Office files and images to PDF.

EXPORT PDF FILES TO WORD OR EXCEL
• Subscribe to Adobe Export PDF using In-App Purchase.
• Save PDF documents as editable Microsoft Word or Excel files.

ALREADY A SUBSCRIBER?
If you have a subscription to Acrobat Pro, Acrobat Standard, PDF Pack or Export PDF, just sign in to convert and export PDFs on the go.

AVAILABLE LANGUAGES
English, Chinese Simplified, Chinese Traditional, Czech, Danish, Dutch, Finnish, French, German, Italian,
Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Spanish, Swedish and Turkish

PRICE
Acrobat Reader for Android is free.
By downloading, you agree to the Terms of Use at http://www.adobe.com/special/misc/terms.html.

Adobe Acrobat Reader Adobe Application Permissions

This app has access to:

In-app purchases
Photos / Media / Files
  • modify or delete the contents of your USB storage
  • read the contents of your USB storage
Storage
  • modify or delete the contents of your USB storage
  • read the contents of your USB storage
Camera
  • take pictures and videos
Other
  • full network access
  • view network connections

Further digging into an adobe community blog I came across a post  states “In Adobe Acrobat for mobile we have a feature to sign PDF by selecting an image file directly on the device or clicking a picture using Camera of the device”.

However going into the “Fill and Sign” function it wanted me to download yet another app called Adobe Fill & Sign DC. This app needs access to the camera to photograph signatures for documents. At least this app had a line in the key features as to why it needs access to the camera.

Key features:

– Scan paper forms with your camera or open a file from email
– Tap to enter text or checkmarks in form fields
– Fill forms faster with reusable text from your autofill collection
– Easily create your signature with your finger or a stylus
– Apply your signature or initials to documents
– Save forms and send to others via email

 

No explanation as to why the base application needs access to the camera though.

For me several things need to happen with mobile apps in general:

  • Developers need to be aware of what permissions are actually needed
  • Applications need to be more transparent on what they are actually doing
  • Descriptions for applications need to really state why the permissions are needed
  • T’s & C’s need to be updated to reflect what they will do with accessing functionality of the devices
  • Users need to be more aware of applications asking for permissions

Maybe its time applications have the ability to change/block certain permissions at installation and upgrade with the trade off of reduced functionality within the application.

Of course at the end of the day its down to use choice as to which applications a user installs on their devices.

Follow

Get every new post delivered to your Inbox.

Join 761 other followers