Category Archives: Security

How much trust should we give apps with device permissions

13 Tuesday Jun 2017

Posted by in Digital, Security, Tools

Leave a comment

Tags

, ,

spyware-2319403_640Have you every gone to the app store and just installed something on there because it looks good and something you want to look at, or purchased a product and then installed the app without thinking or checking it out first? Lots of people do, but do they really know what is going on under the covers?

How often do you install an application onto your personal device without checking the permissions that it requires or know what the app has access to and what its doing?

These are relevant questions that we should be asking ourselves as we become more connected and joined together sharing our personal data. This is a subject that I have written about before on app permissions and is still relevant today.

I have recently been asked to look at a fitness braclet that someone had who wanted to install the app. What struck me about this app that basically allows you to control a basic fitness tracker was the permissions to allow access to the Camera and Microphone, when there is clearly no reason within the product or app to have them. Is this a lazy programmer who hasnt set the right permissions on the app or is there something else going on.

Invite

One of the great things I like about mobile devices now is the ability to actually turn these off myself.

So do I want my coffee app to know where I am all the time, maybe not, but I do know that it may need access to the storage to download the latest offers and store those discount vouchers.

Of course stopping a permission may cause application issues, however the important thing is that a user can say no.

So when was the last time you checked the apps installed on your device and their permissions?

Accepting automation – Do we need safeguards?

09 Tuesday May 2017

Posted by in Automation, Open Source, Productivity, Programming, Security, Tools

Leave a comment

Tags

, , , ,

CogsThere are many and apps available to help us automate basic tasks on our mobiles and computing devices. When choosing these tools, we often read reviews and then download the app, run and set up, then let it run its tasks accepting that it will carry out our requirements. But what happens when there is an issue.

I have a simple IFTTT (If This Then That) recipe running on my mobile phone that sends a test message when I leave an area set up in google maps using Geolocation and GPS to look at my location. A standard recipe for IFTTT.

Today whilst sitting at my desk the recipe triggered saying I had left the area, however I am sat in the middle of my geolocation fence which extends for about 1 mile around to allow some local area travel. The net result is the person who got the message thought I was on my way home, when in fact I was still at work.

Solution to my problem:

The issue with this recipe was caused by the Android operating system and the phone type causing some wonkiness with the location. I fixed this by ensuring all the packages are up to date, rebooting and using another app called GPS Status to assist with ensuring my GPS is working correctly and has the right the location. Also ensuring that the GPS is set to high dependency. The downside may be the drain on the battery with the extra services – I will monitor this going forward.

The main thing this points out is how we accept and then use an app/tool and expect it to work, but not consider the what ifs, such as what if the app triggers incorrectly. Should I have set any safeguards in the recipe or built a counter app.

No harm done in this case as it triggered a text message, but what if this had done something different such as put the heating on, turned on a kettle, opened the garage door, turned something else off? This could be reversed using another recipe to turn things off if I’m within the geolocation fence.

So, what can you do to ensure that your apps/tools and related apps/tools are reliable:

Research – review and research your app. Have there been any issues with running something similar.

Secure – Think about the security of the app and what you can do to protect yourself.

Update, Update, Update – keep the OS, Apps and related apps up to date. In this instance, Android, IFTTT, Google Maps.

Plan – for the what ifs. Allow a reverse control if needed such as turn off the kettle, close the garage, turn on the alarm.

Experiment – Dont be afraid to experiment to get the automation you require.

Safeguards – Think about any Safeguards you may need to build in such as a counter app.

Voice Assistants and The Letterbox Problem

16 Sunday Apr 2017

Posted by in Digital, IoT, Productivity, Security, Tools

Leave a comment

Tags

, , ,

microphone-338481_960_720There are lots of voice activated tools and services now available from software on your PC and in your car to physical hardware you can place around your home. These devices are becoming everyday occurrences, “Alexa, whats the weather”, “Siri, recipe for  Chocolate Cake” (too many to list).

The two main ways to control them is via a button press then speaking such as my car to get it into a listening state, or they are always in a listening state awaiting a set of specific interaction commands, such as the applications name. There is at least a turn of listening mode.

However with all these devices and software, there is a distinct lack of security around voice recognition and lack of interaction security. For instance a recent incident where a TV show caused a number of Dolls Houses to be purchased.

We are busy connecting these devices to all sorts of home automation to make it easier to do things, but how many stop to think of what I term as: “The Letterbox Problem”. This is where you have automated your home to a level that includes things like your lights, powered items and your house alarm. As you walk into your house you can say voice commands to turn on lights, put the kettle on and turn off the alarm. The Letterbox Problem happens when someone has the ability to literally shout through your letterbox and activate or deactivate items in your house. To a would be thief, turning lights on and off will check to see if anyone is at home first before going for the alarm.

There is a security challenge here is to ensure that a level of voice recognition and security controls are in place. Voice recognition by itself is not good enough as I’m sure you’ve heard an impressionist mimic a celebrity on a TV or Radio show.

I would like to see a form of two factor authentication on a voice system so it can be sure its me before it carries out the task. Voice may be one of these, but something else like a token code or app on the phone may be a solution.

There a number of basic steps you can take at the moment to help protect yourself such as:

  • Think about the systems you are connecting the voice device to. Can it compromise your security if anyone else uses it.
  • Use the mute button on devices or turn of listening mode when not in use.
  • Keep the devices updated with the latest patches and firmware.
  • Use good password security practices on any sensitive systems you use (ie Bank Accounts, Paypal etc).
  • Use strong passwords on any associated accounts to the voice assistants, (ie Amazon, Google, Apple etc).
  • If your system allows it, clear out its cache and old activities on regular basis so they can’t be replayed against you.
  • Don’t have a system listening when the TV or Radio is on, especially when your out of the room. You may end up with a new dolls house.

 

Stringing along the Scammers

16 Thursday Mar 2017

Posted by in Security

Leave a comment

Tags

PadlockIts always great when you get a phone call saying “Hello, I’m calling from Microsoft and we have noticed a problem with your computer”. My inner kid springs to life and its time to string on the scammers.

Unfortunately my fun was cut a bit short after the first couple of questions when I was asked what key was next to my Ctrl key on the keyboard. They are evidently looking for a Windows key and they hung up when I gave them the keys of an Apple Mac Keyboard.

The worrying part is that this practice is still going on and people fall for it giving out information and going to web pages that will hack their machine and cost them money.

There is some good advice at this page on not being caught out and what to do if you are:

http://www.pcadvisor.co.uk/how-to/security/microsoft-phone-scam-dont-be-victim-tech-support-call-3378798/

 

How secure is your home in the digital age?

06 Friday Jan 2017

Posted by in Digital, IoT, Security

Leave a comment

Tags

, ,

censorship-610101_640Reports from CES 2017 is seeing some great advancements in consumer tech coming out in the journey to digital. Coupled with some recent reports from around the web I have been thinking about the question “How secure is my home in the digital age?”

There are several ways into your home in the digital age. These could be grouped as several main areas:

  • Physical
  • Electricity/Power
  • Comms ( Landline & Fibre/Broadband/Wifi)
  • Mobile
  • Media (Things you bring into your home)

The below is some food for thought on some recent highlights in the news.

Physical

Physical security is a thing we normally take for granted these days. Good front and back doors with locks. Fences, gates, spiked bushes as well as house alarms make us feel fairly secure in our castles (homes).

There are some considerations though to physical security though as these days you can purchase a lock picking kit off amazon for £10.00. These are mainly for the purposes of learning and taking part in a growing hobby of lock picking for fun (There are national competitions for this) and I am certainly not suggesting any type of activity that is against the law.

Makes you stop and think though! I have taken the steps of upgrading my locks to anti-bump, anti-pick and anti-snapping ones just to be safe.

Most dwellings now have alarms. Some smarter than others as alarms can now be connected through wifi and connected to voice services such as Alexa.

https://www.cnet.com/uk/news/scouting-out-a-security-system-that-talks-to-amazons-alexa/

I’m in two minds about this level of connectivity – “Alexa, disable the house alarm” shouted through the letterbox could be a valid command on some systems.

Electricity/Power

Electricity is the lifeblood of the Digital Age. Without power to devices they are not really going to work.

Batteries and Energy Harvesting aside the main focus area for homes is the smart meter. This is usually placed inline before the electricity cable enters the home.

This is probably the most difficult for a home user to secure against a hacker coming in and from recent press probably the most worrying at the moment.

Hackers can attack smart meters and cause significant damage

http://www.theregister.co.uk/2017/01/04/smart_metres_ccc/

There is still someway to go to ensuring protection from this type of hack in the future.

Comms

Connectivity into the home is common place with routers and a level of firewalls in place. With the rise of connected devices, consumers may need to think about increasing their security and firewalls to cope with the increasing number of devices wanting connectivity back to the web.

LG are going to be putting wifi into every appliance it releases in 2017

http://arstechnica.co.uk/gadgets/2017/01/lg-wi-fi-in-everything/

Its essential to ensure any wifi used is secured and encrypted and router settings are changed from defaults where possible.

Mobile

I could have grouped this into the comms grouping, however the mobile is becoming more a personal control hub for our environments.

Android malware can manipulate your router

http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/

Good practices and checking the validity of apps can help against downloading malware. Also a good security app on the device will help.

Media

In this grouping I am classing anything that you bring into your home outside of the internet and connect it to a device. There are still a lot of USB sticks used and other media so anti-virus and malware checking is essential.

With these things in mind, the consumer has a lot of things to consider as they allow their home to become more connected. Following good security practices needs to become second nature and perhaps more communication to the person on the street on security when an item is purchased.

IoT Best Practice Guidelines – Many more out there…

13 Tuesday Dec 2016

Posted by in IoT, Security

2 Comments

Tags

,

ThingsThe IOT Security Foundation has released three best practice guidelines on:

  • IOT Security Compliance Framework
  • Connected Consumer Products
  • Vulnerability Disclosure

I am currently reading through these with interest, especially the paper on Vulnerability Disclosure. Something that some companies do well and and some not so. I can see companies legal departments advising on this one, however it is an important topic for the industry to address.

These best practices provide one lense to look through on the issue of IoT Security as the industry still has a journey to complete with providing as set of universal standards due to the number of Groups and Communities publishing best practices, guidelines and standards. Some are specific to products and services and some are generic.

I have previously listed a number of IoT Groups in a previous blog post on IoT Standards

Links below from that blog post to some of the Groups/Communities

I had not listed the IoT Security Foundation on that original list so have added above. There are probably groups and comitties not listed here. Please comment below if you know of any others.

Choosing to follow best practices is a good thing. Choosing which best practice to follow can be a harder choice to make.

Until such time as a couple or even one set of standards, a hybrid Best Practice may present a good approach, picking the synergies between the best practices and standards, then bringing in the other ones needed.

These latest best practice standards do state that they are generic and up to the indivudal to adopt.

 

 

Social Media Identity Security

25 Thursday Aug 2016

Posted by in Security, Social Media

1 Comment

Tags

,

GoldThe use of Social Media Identities, have been used for a while now as an alternative to the usual username and passwords traditionally used.

When signing up for a web based service you are presented with a dialogue box asking you to sign in with one of a number of Social Media Identities, such as Facebook, Twitter, LinkedIn, Google or another service. Usually near the bottom of the dialogue box is an option to set up a user id and password.

Its common place now for users to just click one of their identities, to gain immediate access to that site. But how often do they stop and think about what the effect of that is.

Why is this important. Here is a good example:

Recently Spotify have been informing users to change their passwords:

http://security.stackexchange.com/questions/134717/spotify-password-compromised

Hi Spotify User

To protect your Spotify account, we’ve reset your password. This is because we believe it may have been compromised during a leak on another service with which you use the same password.

Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure.

What is happening is that your data is being checked against a  hack list and a cross check against their system. This is based more on the email than password.

The bit of information that is missing though is what is the other leak? Is it a recent leak and is this a published or unpublished hack list?

You can use a service such as  https://haveibeenpwned.com/ to see if your email address is in a known published list, however it cant check those lists that haven’t been published.

If your Social Account is hacked does that compromise and open up all of those linked services. Most probably.

Some simple steps to follow:

  • Don’t link everything to one Social Media Account
  • Think about using the traditional username and passwords for some services
  • Dont use the same passwords across your Social Media Identities
  • Change your passwords on a regular basis
  • Follow a good password length and characters (Alpha, Numeric, Special Characters)
  • Use an additional layer of security, see: Are you using 2 step logins

 

Are you using 2 step logins?

26 Tuesday Jul 2016

Posted by in Security

2 Comments

Tags

Another report today of data being sold for sale on the Dark Web. This time O2 have had data stolen and put up for sale according to a BBC News report.

cameraSo usual changing of passwords are key to ensure that its not the same as on a list. Typically any logins and passwords for sale will be used/tested on multiple sites by hackers to check if you have used the same password on multiple sites. Good practice should be that you use different passwords on different sites to avoid anyone trying this technique, however the management of such a practice often inhibits this from being done. People may decide to install a password manager to help them navigate the miriad of logins and passwords.

Alof of sites now accept authentication via Google, Facebook or other services. However how many people take advantage of the additional security offerings by these companies.

Google and Facebook do offer a two step authentication process for any new devices that are logged into with the Google/Facebook account. This can use the same Google Authenticator application on your mobile that provides a verification code that refreshes every minute.

https://www.google.com/landing/2step/

The service can be used for other applications such as wordpress.

If you use application verification, you should spend the short time to set up 2 step authentication to add the extra layer of security to your account.

 

Build 2016 Resources

07 Thursday Apr 2016

Posted by in Development, IoT, Programming, Raspberry Pi, Security, Tools, Windows

Leave a comment

Tags

, , , , , , , , , ,

Following the latest Build 2016 conference Microsoft have new released a number of resources and videos on Channel 9, providing 49 pages of videos and presentations.

Lots of learning available.Code

Are you rethinking your Java Plugin’s

29 Friday Jan 2016

Posted by in DevOps/OpsDev, Programming, Security

Leave a comment

Tags

, ,

Oracle have recently announced via a blog post that they are going to deprecate the Java browser plug in JDK9 and remove it from future releases.

By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies.

With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology.

Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.

Early Access releases of JDK 9 are available for download and testing at http://jdk9.java.net. More background and information about different migration options can be found in this short whitepaper from Oracle.

Source: https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free

JavaMost browsers are already removing plugin support or don’t support extensions any more. See links below:

Oracle are addressing this through their Java Web Start which downloads the relevant files to your computer if not present then caches them for later use.

Java Web Start is an application-deployment technology that gives you the power to launch full-featured applications with a single click from your Web browser. You can now download and launch applications, such as a complete spreadsheet program or an Internet chat client, without going through complicated installation procedures.

Java Web Start includes the security features of the Java platform, so the integrity of your data and files is never compromised. In addition, Java Web Start technology enables you to use the latest Java SE technology with any browser.

With Java Web Start, you launch applications simply by clicking on a Web page link. If the application is not present on your computer, Java Web Start automatically downloads all necessary files. It then caches the files on your computer so the application is always ready to be relaunched anytime you want—either from an icon on your desktop or from the browser link. And no matter which method you use to launch the application, the most current version of the application is always presented to you.

Source: http://docs.oracle.com/javase/8/docs/technotes/guides/javaws/

However this may not be plain sailing as pointed out in this blog post from Openmicroscopy

What does it mean for desktop developers/administrators?

To deploy Java Web Start, one first needs to get familiar with Deployment Rule Sets. Administrators can then create a list of known-safe applications and manage compatibility between different versions of Java on the system. Each browser will have their own set of dialogs and control mechanisms.

It is getting harder and harder to distribute Java Web Start applications for developers and/or administrators.

Source: http://blog.openmicroscopy.org/tech-issues/future-plans/2015/09/23/java-web-start/

Other useful reads:

NPAPI Plugin Perspectives and the Oracle JRE