Wednesday, December 18, 2013

Gmail Users: Google Makes Your Data More Secure, Owns a Bit More of Your Life

The lovely people at Google have just quietly released a new feature. Google's mail client now automatically shows images from all senders.

Apparently, this is safe now - because all images you see in gmail will be proxied through google's own servers. Now we don't have to worry about viruses and malware in images. Well, we didn't often worry about those in the past - images containing viruses are most often a hoax, the odd PoC, and of course there are some targeted attacks at poorly written image libraries which would form the basis for a driveby. These concerns, and their validity or otherwise, aren't the real reason we turned off images are they?

No, we turned off images because we wanted to make the trade off between marketing people tracking us, and seeing the image. If the image was going to be useful, or worth seeing, we'd load images. If not, it was probably a "web bug" use to track opens and forwards by canny marketing types.

So, now you know that every image in your gmail is being definitely tracked by canny marketing types - except it is those at Google, rather than the guys who sent the email who are getting the full picture. Bear in mind also, that this is implicitly an HTTPS man-in-the-middle attack. This means that if an image was previously sent securely end-to-end between the email sender and you, it has now resided in the clear somewhere on Google's servers. Of course it's still encrypted in transit - but at some point that image stopped being secure, its origin stopped being verifiable in the same way, and Google served it to you fresh.

I know that Google already know what you are doing with your gmail, but this is one more fragment of your web browsing that's now hitting their servers before it hits the origin.

Yes, I fully appreciate the irony that this blog post resides on Google's infrastructure. They already know what I had for breakfast anyway.

Wednesday, December 4, 2013

Don't Complain About Social Media Bores

Some of my older readers will remember a time before social media, when we had real friends, and talked about real things. They'll remember it fondly, and talk about those halcyon days of pints down the pub, phone calls and lovingly crafted snail mail. To be honest, we are probably better off with social media, but there's still a few things that we might miss. In the "good old days", you could easily avoid the boring guy who had only one topic of conversation (like how rotten his shifts at the mill were). Now we're stuck listening to "social media bores" because we know if we unfriend/unfollow them, they'll know, and it'll just be even worse.

After an in-depth meta analysis, and extensive survey (OK, I hit google and had a chat with 4 colleagues), it can be revealed that the top 5 "Social Media Bores" are:

1. The Braggart: This guy can't buy a replacement lightbulb without telling you why he's got the best. Expect: Holiday bookings and new-car photos

2. "Guess where I am?": She can't help but tell you where she is, regardless of how dull it is.
Expect: "In Slough", "At the local shop", "Entering purgatory... where to next?"

3. The cat bore: Yes, we know you've got a cat, you use him as your profile picture.
Expect: Pictures considerably less funny/cute/well captioned than those already littering facebook

4. The Cliffhanger: An Unspecified emote - and we're all supposed to guess what's wrong?
Expect: "Feeling really sad", "Great news!" (and then nothing)

5. Captain Gullible: Is there a hoax this chap hasn't swallowed hook line & sinker?
Expect: "Did you know water drains anticlockwise in Australia?"

Now comes the hard part. I want you to forgive these guys. I ask you this, not in the spirit of the holiday season, but because I have discovered that it is virtually impossible not to be a social media bore. Observe:

So, if you do want to say something you might think twice about tweeting, maybe hang on, and do it over a beer - or don't say it at all!

If you are interested, here's some of the research I didn't do:

Legal issues:

Workplace issues:

Family issues:

  • Try not to follow escort agencies on twitter if anyone might be watching you
  • I'm told one of my colleagues once got told off by his mother for something he said on Facebook - didn't even make the local news though!


Wednesday, September 18, 2013

7 Ways To Deal With HTTPS traffic

HTTPS traffic. It's a bunch of encrypted zeroes and ones flying through our firewalls and web filters, and frankly many people haven't got much of an idea what it's doing or why it's there. There are business critical apps aplenty that require you to let this impenetrable traffic march on, but what can we do to gain a bit of visibility? In a rare moment of caffeine-induced lucidity, I lay out your options:

1. Do Nothing

This is one of my favourite options - complete inaction. Whilst it might seem like it is a safe bet, after a while things start to go wrong. Sometimes, I take this approach to household chores: it's liberating to not do the laundry for a while, but the day you run out of socks is a dark day indeed.
User Impact: *****
Blocking Efficacy: (that's no stars!)
Advice: Only if you like to have problems

2. Block it ALL!

Not a great idea this one. Might have worked in the deep and distant past, but today's Internet will have no truck with that. Back to doing laundry, it's the equivalent of putting up with prodigious and vile body odour because you can't be bothered to wash your smalls. Might have worked in 200BC, but in 2013 you will likely find it a social faux-pas. Apologies to any readers who were eating breakfast while reading that :)
User Impact: (that's no stars!)
Blocking Efficacy: *****
Advice: Don't do it!

3. Look for Reverse DNS

So I want to allow HTTPS traffic through, but I want to be selective. I know - I'll take the destination IP and do a reverse lookup on it, then I can use that to match... I'll be able to control everything. I don't have a sock analogy here - sorry folks (well I do, but it would be stretched thinner than even the most ardent fans of my blogging would take - an exercise for the reader to build their own!). Reverse DNS is basically pretty unreliable. It's OK for spotting some of the big stuff, so you might whitelist based on it, but conversely it's terrible as a whitelist because it is inclined to miss bits. Yes, more of the internet than ever has reverse lookup, but this still sucks.
User impact: *****
Blocking efficacy: **
Advice: Don't do it!

4. Use Plaintext header information to domain block

This is more like it. Anyone using a "traditional" proxy, where you set up the computer to use an HTTPS proxy, can already do this.

Modern SSL implementations are actually TLS implementations - SSL went out of fashion when flared trousers and wearing a baseball cap backwards were the hottest news. TLS is what we are really using when we refer to SSL. Anyhow, there's a cute little extension to TLS called SNI. This method won't work with really ancient browsers.

For those of you still awake, these methods let your web filter block accurately by destination domain. Not URL, domain. Just the first bit. Everything after the / is still mystery meat. This is a reasonable option for blacklist, and a great option if you're whitelisting.
User impact: *****
Blocking efficacy: ***
Advice: No brainer, get it turned on

5. Verify Certificates

You can, and should, check certificate validity on your web filter. It's that simple, really. There's a few gotchas - in that sites with self signed certificated will need explicitly allowing, but otherwise, this is a great idea. One of the main advantages to this method is the blocking of HTTPS proxy anonymizers, which rarely go to the financial trouble of a full, CA signed certificate.
User Impact: ****
Blocking Efficacy: *
Advice: Use in conjunction with another method, but do use it

6. Full Inspection

If you're really keen to protect against the threats of web-borne malware, and you want the best filtering, then this is the gold standard. A "Man in the Middle" decryption allows your filter to see the full URL and content, so you can do fine grained blocking, search term analysis and anti-malware scanning, among other things. Of course your users will see a certificate warning if you do this, as you'll be re-signing a certificate claiming to be or whatever. The only way round this is to install your Certificate Authority (CA) on your users' systems. Don't install one that's not got your organisation name in it - some vendors just produce a "standard" CA, and this is really dangerous, allowing the vendor unfettered backdoor access to your clients' browsing. Full inspection can be tricky for BYOD as you have no easy way to push out the CA - so  bear that in mind when deciding how to filter.
User Impact: **
Blocking Efficacy: *****
Advice: Definitley use for machines you can push policy to, advise caution on BYOD

7. The NSA Option

If you are the US government, there's always the option of spending a whole heap of your billions of dollars in black budget breaking everyone's crypto. While this is highly effective, people will then tend to avoid you at social functions, and may talk about you behind your back. But at least you'll know what they are saying.
Blocking Efficacy: BLOCKED
Advice: Be afraid

Tuesday, September 3, 2013

Caveat scriptor - the further perils of a social networker

Caveat scriptor! (Writer Beware!)

We mentioned a few times the problems that you might run into if you post something online without really thinking it through. It can go much further than a red face next time you see friends.

What’s bad for the individual can also be bad for the organisation too – vicarious liability (that we've mentioned many times) can mean that if an organisation can’t demonstrate that its’ trying to monitor and manage access it too can be considered liable for its employees actions. The real kicker here is that the organisation can’t even use the defense that it was unaware of the behavior, the law expects that sensible precautions will be taken.

The message was hammered home this week with the results of the Freedom of Information request to the Student Loan Company about misuse of social media. The response showed that there had been 4 cases (over 5 years) where disciplinary action had been taken. Although the details in the response are scant, there are indications that these individuals were using personal accounts.

Cue the debate about your right to say what you like and why should an employer be able to discipline (in these four cases – dismiss) you for what you say? It comes down to a question of whether you’re representing your employer – a question that was tested in the Adrian Smith case last year.

Essentially the test is this – would a reasonable person viewing your Blog / Wall / Tweets associate you with your employer. If they would then you suddenly need to be a lot more careful about what you say. Someone who finds your opinions objectionable may be also take action against your employer and it’s likely that they would then want to take action against you.

What’s the answer – keep your online work and your social life separate or be prepared to be squeaky clean if you don’t.

For the employers out there -  a strong Acceptable Usage Policy, combined with control of access to Social Media over your network, something that web filters are pretty good at, is a good start for a defense against vicarious liability.

Overall everyone must remember that once something is in print, be that electronic or hard copy it’s almost impossible to get back. As the Duke of Wellington said “Publish and be damned”

Thursday, August 22, 2013

Mile High Wi-Fi

Long haul flights may never be the same again as high speed Wi-Fi is set to be delivered to air passengers in 2014.

Train travelers and even bus passengers have become used to on board access but the new system will deliver speeds ten times greater than those currently available. The technology is based on the ability to aim a satellite dish with ultra high precision and keep it on target as the aircraft moves.

But as many organizations have discovered, having more bandwidth doesn’t always mean happy customers. Hotels in particular have seen apparently ample connections being hogged by applications like streaming media and file sharing leading to lots of unhappy guests. In the confines of an aircraft at 30,000 feet who knows what the result of a slow connection might be…?

Then there’s the whole question about what content is accessible to users. No airline is going to be happy with illegal downloads crossing its network, adult content is plainly not acceptable, and how to deal with acceptable content in different sovereign air spaces is anyone’s guess.

There are of course several Smoothwall engineers willing to do extensive field research in fitting UTMs onto aircraft heading for warm and sunny locations, providing of course that they are allowed to “recover” for a couple of weeks.

What can we say? Watch this air-space!

Tuesday, August 20, 2013

LinkedIn switches focus to kids

LinkedIn have announced that they are reducing the age limit for membership from 18 to 13. I have to say that disturbed would be an underestimation of my reaction.

Firstly, it seems rather absurd, especially at a time when the safety of young people online is at the centre of public debate. Personally, I find it weird that LinkedIn finds it acceptable to allow teenagers or screenagers (if you want to be hip) to connect and network with adults they don’t know. I see bad times ahead!

LinkedIn’s argument for offering the service feels wishy-washy. It will help young people to research their career options and job prospects. Really? What self-respecting 13 year old is on the hunt for work? At that age, I was still sharing Pogs in the playground or at the roller disco. Ah, to be young again. Seriously though, the future hadn’t even entered my mind.

While the concerns might be about what smartphone is fashionable, I would say that the same applies to young people today.

It’s also said that young people will be able to create an online persona that looks towards higher education and work rather than the standard social networks, but will this be any different from the idealised CVs employers see from school leavers?

Even with the planned changes LinkedIn says they’ll stay true to their professional networking roots. I can’t see how though. Will there be a LinkedIn boycott by business people who use it for the purpose for which it was made? They will surely find the under 18s brigade a nuisance rather than an asset. Also, who is going to be comfortable with connecting with an under 18 for fear of being branded a predator?

Is this really about opportunities for kids or is LinkedIn after a slice of online advertising spend? Last year Facebook’s ad revenue reached $5 billion.

Anyway rant over. Don’t look me up on LinkedIn chances are you won’t find me.

Monday, August 19, 2013

Once more unto the BREACH...

Security: noun. The state of being free from danger or threat.

Security is a powerful word on the web. Secure Online Banking, Secure Logins, Secure Portals, Secure Searches, all are now common parts of web vernacular. We have a Secure Web Gateway as part of our product line up. The basis for much of this security is TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer).

BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is an attack on TLS and SSL. Details are a search away ("tls breach attack" is a good start). The result is that an attacker can theoretically extract specific pieces of information from a secure exchange between client and server, like a bank account number or password reset link. The clever bit is that it takes advantage of, and indeed relies on, the fact that this information is compressed as well as encrypted. Servers routinely compress data sent to the client to save bandwidth, but this relies on both parties agreeing to a compression scheme which is accomplished by the client advising the server in the initial request which compression schemes it supports. This is where a nifty new Smoothwall feature comes in. Combined with an older, more entrenched capability, it can help mitigate the BREACH threat. Ironically, this is accomplished by interfering with a secure process.
Regular readers of and other Smoothwall users will be aware of YouTube For Schools, which makes use of Smoothwall’s header insertion capability to inform YouTube that the client is only allowed access to educational videos. Combining this with HTTPS inspection, (which is effectively a man in the middle attack, akin to a switchboard operator listening to a phone call and something SSL/TLS was designed specifically to prevent) we can override the header that specifies which compression schemes the client’s browser is willing to accept, effectively instructing the server not to compress data and putting a large blue spanner in the BREACH attack.
Who says you can’t fight fire with fire?

Wednesday, August 7, 2013

Unsuspecting sites find themselves hosting child abuse imagery. But why?

The Internet Watch Foundation recently released a statement regarding the hacking of legitimate business websites to store illegal imagery of child sexual abuse. The imagery wasn't directly accessible from these unsuspecting sites, but linked to from external sources — including portals for legal adult content.

In the last 6 weeks, the IWF has received over 277 complaints from people who have happened upon this kind of content. But what could be the purpose for secreting illegal child abuse content on otherwise lawful sites? In order to avoid hysteria and misplaced action, we need to attempt to understand the cause, rather than the symptoms, or we risk an ill thought through, knee-jerk reaction.

Superficially, there seem to be three potential causes: the nefarious, the vindictive, and the political.

The nefarious route is the least savoury. In this scenario, the purpose of the act is to distribute child imagery for criminal users — its enthusiasts. It's an easy conclusion to jump to, and start raiding the barn for pitchforks, but it raises a few issues. Firstly, why would such sensitive, illicit content be distributed on the open web? Why would a more clandestine service not be used? If you are attempting to run an illegal commercial enterprise, it doesn't seem to make sense that you would do business out in the open, rather than using TOR or other 'Deep Web' facilities. There is an inherent risk of your content being found, and, thankfully, shut down.

There's an argument to be made (and very eloquently by your favourite blogger and mine, Tom Newton), that this space has been hacked and traded multiple times, with no connection between the owners and the original attack. That the whole process provides a smokescreen. However, why would a misdemeanour criminal who 'acquires' web space allow themselves to be attached to a much more serious crime? It seems that there would be a quickly falling house of cards, where bucks would swiftly be passed to evade serious punishment.

Finally, why would the link be placed into an open forum? In this case, links to legal adult fetish content arrived at the illegal material. Someone deliberately attempting to access illegal content might claim that there is a theoretical benefit: any analysis of the browser's web activity would suggest that they were innocently looking for something legal, and were "horrifyingly duped". This theoretical benefit seems to crumble under the exposure of having an unprotected public link to your illegal content. A link that many people could find and, thankfully, have reported.

That the content persists, rather than being deleted after some underground transaction, also seems to suggest either a significant lack of discretion, or that the content was meant to be found. Which brings us to: the vindictive.

The smear of being supposedly complicit in child sexual abuse is almost indelible. As operations Ore and Yewtree have shown, entire nations will stand up and take notice when this particular topic is raised. People in the public eye may not have been convicted, such as Massive Attack's Robert Del Naja, but lives can be ruined.

Because of this, the threat of being affiliated with such toxic material can become a weapon. Anecdotally, I have seen the behaviour of the delightful inhabitants of 4Chan, where anonymity and arguments run wild. Threats are made from behind the veil of the screen and the shield of the keyboard, and these threats can —and do — escalate. I've never witnessed anything that would entirely explain the current hacks, but I have seen threats of the planting of illegal material on people's computers, coupled with calls to the police. For more on the far-reaching implications of web activity, see the recent post by security researcher Brian Krebs, who was sent heroin by malicious online adversaries, with the intent of calling the police to implicate him.  The drugs were acquired online, but were simply a tool .

In this scenario the child abuse imagery is also a tool of threat or extortion, rather than intended for criminal viewing . An enormously inflammatory weapon able to destroy reputations and lives. The unsuspecting owner of the website could be the target, or possibly a third party who is known to use the legal pornography site hosting the links. It could even be an attempt to extort the owners of the pornography site by suggesting that they are complicit in funding the material.

Still, until prosecutions commence, the idea that these hacks are designed to malign and ruin individuals (or businesses) is just one of many possibilities. The fact that these attacks have increased in the last 6 weeks gives rise to a timely third option... the political.

No post on inappropriate content would be complete without some commentary on David Cameron's plans for a UK-wide, ISP-level content filter. Criticism over the filter falls into two camps: the supposed hand of the nanny state, and the alleged technological ignorance on display. If you were keen to demonstrate that a domain-level Internet filter impedes freedom without providing protection, then showing that illegal  — let alone "offensive" — material can be put onto reputable sites may erroneously be seen as direct action.

It seems inherently possible. Though why would conventional, legal adult content not be used to get the point across? Why risk affiliation with another serious crime? Why risk your political legitimacy by associating yourself with abhorrent material? And where do the links from adult sites come into play?

None of these options seem outlandish, and yet none completely fit the situation. There are undoubtedly myriad scenarios that haven't been considered here — please feel free to add in the comments.

The causes here aren't clear cut, but there continues to be one cause that is: working with the IWF to eliminate online child abuse content for good.

Wednesday, July 31, 2013

Can Twitter be blamed for bad behaviour?

The case of the abusive tweets sent to campaigner Caroline Criado-Perez have once again highlighted the difficult issues that surround user generated content.
Ms Criado-Perez’s situation clearly demonstrates the potential for social networks to be used a vehicle for harassment. After being involved in the successful call for a woman to be featured on a forthcoming banknote, she received a torrent of abusive messages including threats of rape.
When Ms Criado-Perez reported the matter to Twitter the response was not what she expected – she was told to report the matter to the police who have now arrested a 21 year old man on suspicion of harassment offences.
Twitter now faces a welter of criticism about its reaction to the situation and its policy about reporting abuse. It’s now reported to be planning to introduce a “report abuse” button similar to those seen on many news sites or forums.
At the end of 2012, the then Director of Public Prosecutions, responding to prison sentences being handed out to twitter users gave guidance that prosecutions would only be sought where material published was grossly offensive or criminal. In Ms Criado-Perez’s case the inclusion of threats clearly pushed this over the line.
However, like the argument around the blocking of pornography by ISPs, the ability to report abuse on social networking sites would require the companies to become an arbiter of a complex and finely shaded law and take on the cost of providing the huge resource to monitor the flow of content.
The problem, however, is not completely new. Threatening phone calls and text messages have been creating misery for users for many years. Networks always advise reporting the case to the police and their ability to support the abused customer is limited (changing phone number for example). Companies like twitter could be forgiven perhaps for wondering why they are required to go further than long established mobile and telecoms operators.
The treatment of people who express strong views in public is cause for concern and this seems to be a particular issue when the views expressed are those of a woman, but there is a risk of confusing the issue of this abuse and the medium it is carried by.
As the medium of much modern discourse, it’s right to expect social networks to work closely with law enforcement when abuse takes place. This means that records must be kept to enable investigations, but this is quite different from a further growth of privatised censorship.
Just as with the debate around other forms of abuse, the answer here is to attack the problem at its’ root – in this case the irrational reaction of people toward women who express strong opinions in public – rather than trying to sweep the problem under the carpet by moderating a messaging system carrying over 33,000 messages per second.

Monday, July 22, 2013

No Budget to Block Porn? Confuse the Public and Rope In ISPs...

For the past month or so, the UK government has increased its hot-air output on the subject of online pornography. I hope their aims are admirable (and I have to assume they are), but there seems to be relatively little method and much more madness right now. Where are they going wrong, and what can be done about it?

 Not all porn is Child Abuse. Following two recent, high profile cases where child murderers were found to have viewed child abuse images, there were a number of hasty pronouncements, fuelled in large part by "enthusiastic" press coverage. Most of these centred around "regular" legal pornography. 

This is a problem. Even if most viewers of abuse imagery do also view legal porn it doesn’t follow that viewing legal porn leads to viewing child abuse imagery. Users of illegal drugs also purchase headache tablets in the supermarket - should we ban all painkillers because users might turn to illegal drugs? I fear, however, that good sense makes poor headlines, so we're probably stuck with this crooked thinking.

 It is difficult to decide what is "porn": in order to protect the children, there is a suggestion that ISPs block access to porn "by default" (though there seems to be some weaselling on the cards here with the word "default"). However this happens, the question will arise "who decides what is pornography?". In this case, it won't be the government, as they've devolved responsibility to a private organisation (your ISP) who will further devolve this to a filtering company.

I know a little about the inner workings of one such filter company - we at Smoothwall spend quite some effort on making sure things are as well categorised as they can be. It's a difficult question - one US judge managed to come up with an interesting answer: "I know it when I see it. Our lists aren't perfect, but the "lowest bidder" is likely to be some faceless off-shore corporate who frankly won't give a <censored> if your favourite sports forum has been misidentified as pornographic.

Update: The BBC have picked up on this outsourcing of filtering and identified TalkTalk's filtering partner as Huawei, who have been stuck with the "they must be up to no good because they're from China" tag - a nasty generalisation, but one prevalent in the media right now. It's interesting to note that TalkTalk themselves appeared to distance themselves from Huawei by overplaying links with Symantec (having spoken with industry insiders on this, this is not news...). This shows that we're already seeing a company viewed as "undesirable" making moral decisions on behalf of TalkTalk's customers. See also, wedge: thin end.

Many very popular sites have plenty of porn and ISP level blocking is going to be pretty brutal. I will have a good old nibble of my hat if we get anything better than domain blocking, but if there's full HTTPS inspection, I'll eat the thing whole, and the matching gloves, before moving to a country with a less invasive government (and preferably hot weather, as I will have ingested my hat & gloves).

Let's take an example of why we need granularity to be any good. Twitter. Whilst indulging in a spot of online ornithology, you might enter a search term "great tits". There you go, plenty of porn-over-https on a domain you can't block. Time to legislate seven shades out of twitter, and the next site, and the next...

Finally, lets touch on an old favourite hobby horse of mine: the Internet is not The Web - and there are plenty of non-web services out there, from the old school like NNTP news groups, to the more modern like encrypted peer-to-peer, and a bunch in between where some of the worst images are found. If we aim at google, we're preaching to the choir, they already work with the relevant bodies to keep their results as clean as possible. Again, this is focusing in the wrong place if the real aim is to clean up child abuse imagery.

My suggestion? Make sure the bodies responsible for this sort of thing are adequately funded. I would like to see the creation and distribution of Child Abuse Images come to a complete stop. These latest proposals take aim at two targets though, and when you try to aim at two things at once, one of those shots is likely to miss the target let alone the bulls-eye.

Friday, July 5, 2013

Meet the sarcasm monitor - coming to a social network near you...

Okay, so we already know our personal details are ‘out there’ in the hands of companies who want our data to sell it to third parties. Big Data is big business!

Tracking technologies like marketing analytics, digital footprinting, and cookies all help to build a detailed picture of you: what you had for breakfast, where you ate last night and even your home address.

Spotter, a French company, has reportedly taken things a step further with the development of a tool that detects if a comment posted online has a “sarcastic” tone. Presumably their clients will use the findings as some form of business intelligence.

Obviously it depends on where your company does business. For an international company like Smoothwall this could be relevant if we wanted to track our British customers, because this is a trait of our humour. However, this will probably be next to useless for monitoring comments of customers in parts of the world where sarcasm isn’t part of daily conversation. It would also be interesting to see if it can identify the full spectrum of irony.

The UK sales director at Spotter, Richard May assures us that “the company monitored material that was "publicly available". Thanks for the reassurance! (Did you get that one Spotter?). Seriously though, how can we be sure?

Search giant Google was slammed for circumventing the default settings on Apple’s Safari browser which installed cookies even when the users opted for non-third party cookies. Facebook is also not so friendly, reportedly scanning your personal messages to increase its “like” counter.

Spotter’s chosen time to come to market doesn’t seem so good. People are already more aware than ever that Big Brother is watching. In a global survey by Big Brother Watch 79% said they were concerned about their online privacy. Wherever we are, we must watch what we say online. Many cases have been in the media, with people getting disciplined or fired for being vocal online about things that happen at work.

The Ed Snowden revelations have made us more worried. Just how much do they know? The answer: a lot! As I write GCHQ could be trawling through your Facebook posts, internet histories and phone calls. It is for our own good you know. To protect our freedom, says William Hague. How free do you feel? Not so much?

Monday, April 15, 2013

Infosec is here again (stand K60)

This week I was asked nicely by our marketing folks if I could write something that could link to our presence at Infosecurity Europe (We're at stand K60, come visit us, there's probably free stuff, and definitely interesting people - there, y'happy now marketeers? ;) ).

Anyway, I thought i'd do a piece on new Infosec exhibitors I planned to visit. Sadly, I didn't find a lot to get me excited on my trawl through the exhibitor list! Don't get me wrong, I'm sure there's some great stands there (including ours, K60, did I mention it?), but the list just about failed to get a hoary old 10-year-infosec-veteran like me engaged.

What I did see though, was a couple of vendors offering "end user training" - particularly Bob's Business (extra points for being from Yorkshire), and Now, there are those who suggest that this sort of training isn't that wonderful an idea - including infosec superhero Bruce Schneier writing over at Dark Reading. I kinda agree with Bruce, especially with regard to the value of implementing training measures "server side",  and increasing our resilience to inevitable failure, but I think maybe he paints slightly too dark a picture of end-user training.

 I know we fail with a lot of our efforts to change user behaviour, but eventually, some of it sticks. I've written in the past  about how tough it is to change people's mindset: I had to remind my dad to wear his seatbelt pretty recently, and campaigns to encourage their use have been ongoing 40 years (plus laws to that effect, plus obvious downside of going un-belted), but younger folk seem to be much more likely to belt up - something has caused the message to "stick". Eventually.

In the tech world, things seem to happen more rapidly - just around the office here we've had 2 factor authentication turned on by default for a year or so on our email. When it was first turned on, people moaned. It was hard to use. It was inconvenient. Now, it's kind of expected. Indeed, when we launched a new system that couldn't SSO, people asked: "Where's the 2FA?". Now, these were non-techies, but they were people working in the security business... but I see that as a glimmer of hope. Perhaps in this more fast-moving world the "buckle up" message will sink in within a generation?

Would love to hear from people in "the real world", where their users really don't have an interest in IT security. Have you been able to train out bad habits? Is Bruce right and end-user training won't help?

Finally... since we're here, and you've gotten this far, here's a few people I'll be visiting at Infosec anyway - Vuln management folks RandomStorm (Yorkshire connection, plus a few ex-Smoothwallers there), SIEM Maestros Splunk (I just love graphs... I think I caught the bug from one of our developers...), SSH (Which self respecting Linux-botherer would miss it?), Bunker Secure Hosting (you had me at "Bunker") and, last but not least Vipre (the now-divorced-from-GFI anti-malware used in Smoothie). Hey maybe it won't be so dull after all... visit K60. Go on. Please.

Monday, March 25, 2013

Mobile Malware: 3 Key Differences and 3 Top Tips

Traditional malware is relatively easy to spot - well, ok, I am sure most security vendors would disagree, but it is. Compared to mobile malware - I did say “relatively”, didn’t I?

Why is mobile malware so different to regular “desktop”  malware? Well, for a start, there’s the environment. Even on our most lightweight laptops, we’re willing to leave an antivirus running 100% of the time. Sure we’ll bitch and moan about it slowing the whole show down from time to time (usually poor software, or underwhelming tin... but still...) , but in the end, it stays. On our ‘phones however, small is king (don’t get me started on “phablets”, if I wanted to walk around with a plasma telly in my pocket i’d shoplift at dixon’s). Small devices mean small batteries, and we generally can’t afford to keep cpu chewers around “unnecessarily”. This means that anti-malware often takes a back seat: most users won’t run it.

Second up, there’s the homogeneity of the devices. Android often gets slated for a “fragmented platform”, but if you’re looking to have the same fundamental attack vectors, mobile is a great place to be. This was a criticism levelled at the Microsoft environment 5 years ago, but while Windows is still highly popular, the software stack is much more varied - Outlook is no longer de-facto, and nor is IE. iOS is going to give you even more of a predictable basis for attack, so as a malware author, it’s a great place to be. Our user has less control of the OS too, coming behind the vendor and the network in the pecking order - often a good thing, less rope to hang one’s self, but it means any AV has less foothold in the OS, and makes it hard for the user to spot “interesting” issues: the diagnostic tools aren’t readily available.

Finally, we come to the killer feature - the ability to make calls. If I “own” (or pwn, if you’re 17) your PC, you’re going to make me work to turn a profit: I can sell it, but for peanuts, I need 1000s. You probably don’t have your bank details in a text file on the desktop (do you? If so, please send your IP address on a postcard...), or at least I can’t rely on it. Your phone, however has the ability to spend money on your behalf right out of the box by placing calls to premium numbers, or signing up to text services. Even the appstore is more likely to be an easy place to slyly spend your coin than anything I can find on your PC.

So - before this post becomes “TL;DR”, i’ll leave you with a few tips on how to avoid getting your phone hacked (russian mafia style hack, rather than lazy journalist style hack)...

Rule Zero: The fundamental rule of safety - if it looks too good to be true, that’s because it is. If an app is normally 70p, and there’s a free copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad supported, worst case, it’s worse. If an app offers you something for nothing that you know normally costs money, well, you’re paying somewhere. See also: Free lunch, existence or otherwise thereof.

Rule One: Check the permissions. Both iOS and Android apps will state what the app is allowed to do. Be especially cautious with things that could cost you money. Sadly, most things need network capability for something or other, so that’s not really a good red flag, but think: does this app need this permission? Why?

Rule Two: Follow the crowd. Wildebeest know there’s safety in numbers, and you should too. If an app has many users it is more likely to be kosher, but if an app is brand new to the app store and has very few downloads, tread carefully - especially if it looks like a mature app. Check the reviews while you’re at it.

Tuesday, March 19, 2013

Death of the Keyboard? It's not just the keys that are numbered...

I bet there's a keyboard within two feet of you right now, be it mechanical, or virtual.
You'll probably use at least three different keyboards today, which for me at least makes the keyboard more ubiquitous than the teacup.

In one guise or another, the idea of pressing buttons to produce one character at a time has been with us since 1714 and has evolved considerably in that period.
So it's been with us for a while, but personally I think the keyboard's days are well and truly numbered.

Don't get me wrong, the day you have to go to a specialist shop for an antique piece of 'typing aparatus' aren't upon us yet, but I think soon it will be possible for even the most hardened technophile to get through the average day without typing a letter.

We're halfway there already. Between Google Now and Siri, you don't really have to touch your smartphone any more to bend it's powers to your will, though there are still limitations. Touchscreens are making a valiant effort to kill the mouse and even the humble Ford Focus comes with voice control (dubbed SYNC).

In the office, things like the Leap Motion and Space Top are promising to revolutionise the way we think of the 'desktop', stripping out the middlemen of the mouse and keyboard and freeing your hands to be the expressive and dexterous tools that they were meant to be.

Couple these concepts together in a package like Google Glass or the Oculus Rift you end up with a picture more advanced than Star Trek, with people searching for, creating and sharing information without ever pushing a button. It's a fascinating technological landscape that has sweeping implications for Smoothwall and our ilk.

Thursday, January 10, 2013

10 Ways I Saved Time With Android Apps

I owned smartphones between 2001 and 2006. They were of limited use back then costing about the same as a good smartphone in 2012, the applications were often slow, lacking features and the interface cumbersome. Mobile internet was usually very slow, patchy and often frustrating. Not so long ago in retrospect. I was put off, they were not value for money at all....

Can the market sell to me again? I did not own another smartphone, until late 2012. I threw down the gauntlet. I enjoyed some of the advertisements and peer influence, but until the sums looked as if they were adding up for my requirements, I did not buy in. Bingo - a refined Android powered device appeared; the Galaxy Note 2. Another thing, tablets. I had resisted those too, but quite liked the look of those handy, intuitive pads. Readers are looking good as well. The Note 2 is a fusion of all these things. For someone like me, who is interested in many things, this device convinced me to buy into the marketplace again.

During my first month of ownership, these apps have genuinely saved me time whilst mobile:-

1) Camera + Gmail. Taking pictures of complex equipment at work, domestic appliances and the outcome of meetings. I reference the images to find parts, diagnose faults and communicate issues.

2) National Rail. Checking journeys and viewing delays. Less time spent waiting on a platform.

3) Met Office. Checking the five day forecast. Plan time to chop reclaimed wood for domestic multi-fuel burners.

4) Bank Balance App. Check balance and recent transactions. Knowing if payments have been received on purchases. Information to use when chasing late or lost deliveries.

5) Spotify. Finding a tune during a social gathering. A group of friends wanted to sing along to the popular folk song, The Wild Rover. Found the tune within seconds, the device speaker was good enough for a nice sing-along. I decided to subscribe to download play-lists.

6) Navigation. Searching for a store in a busy, unfamiliar area. Found the store without making any wrong turnings and had time to browse.

7) Google Sky Map. I was given a telescope for Christmas and wanted to provide Jupiter viewings for guests at a social gathering. Located Jupiter, then was easily able to point the telescope at the planet and focus. Everyone was able to see the planet’s markings and moon.

8) Clock. Setting an alarm. Usable and flexible alarm clock management. I can set alarms quickly when tired, each night I need them.

9) Independent. Independent news on-line. I no longer need to read my least favourite newspapers in a cafe I use regularly for lunch, if the single copy of ‘The i’ is in use by another customer. I might subscribe to the on-line version.

10) S Notes. I needed to take some notes whilst talking to a colleague. Important ideas, which may have been lost whilst looking for a pen and paper, were saved. For an ongoing task I couched a few ideas then noted them; the solution came to me whilst out walking.

The time accumulated in these examples range from a few seconds to minutes. As I find more time saving apps and become more adept at using them, this function of time will improve. The apps are good at saving time in context, when you are busy seconds are more valuable than when relaxing at home, for example. Catching up on missed TV is perfectly viable and I'll be ordering a take-away Friday night, using the web browser.