Tag Archives: security

F-Secure Sense: a success and a failure (and why you should not rely on your anti-virus software)

I am in the process of reviewing F-Secure sense, a hardware firewall which works by inspecting internet traffic, rather than scanning files on your PC or mobile device. This way, it can protect all devices, not only the ones on which an anti-malware application is installed.

I get tons of spam and malware by email, so I plucked out a couple to test. The first was an email claiming to be an NPower invoice. I don’t have an account with NPower, so I was confident that it was malware. Even if I did have an account with NPower, I’d be sure it was malware since it arrived as a link to a website on my.sharepoint.com, where someone’s personal site has presumably been hacked.

I clicked the link hoping that Sense would intercept it. It did not. Here is what I saw in Safari on my iPad:

image

(Wi-Drive is a storage app that I have installed and forgotten about). I clicked More and saved the suspect file to Apple’s iCloud Drive.

Then I went to a Windows PC, and clicking very carefully, downloaded the file from iCloud Drive. The PC is also connected to the Sense network.

Finally, I uploaded the file for analysis by VirusTotal:

image

Well, it is certainly a virus, but only 4 of 58 scanning engines used by VirusTotal detect it. You will not be surprised to know that F-Secure was one of the engines which passed it as clean.

image

Note that I did not try to extract or otherwise open the files in the ZIP so there is a possibility that it might have been picked up then. Still, disappointing, and an illustration of why you should NOT rely on your antivirus software to catch all malware.

Now the good news. I had another email which looked like a phishing attempt. I clicked the link on the iPad. It came up immediately with “Harmful web site blocked.”

image

While that is a good thing, 50% of two attempts is not good – it only takes one successful infection to cause a world of pain.

My view so far is that while Sense is a useful addition to your security defence, it is not to be trusted on its own.

In this I am odds with F-Secure which says in its FAQ that “With F-Secure SENSE no traditional security software is needed,” though the advice adds that you should also install the SENSE security app.

image

F-Secure Sense Firewall first look: a matter of trust

Last week I journeyed to Helsinki, Finland, to learn about F-Secure’s new home security device (the first hardware product from a company best known for anti-virus software), called Sense.

I also interviewed F-Secure’s Chief Research Officer Mikko Hypponen and wrote it up for The Register here. Hypponen explained that a firewall is the only way to protect the “connected home”, smart devices such as alarms, cameras, switches, washing machines or anything that connects to the internet. In fact, he believes that every appliance we buy will be online in a few years time, because it costs little to add this feature and gives vendors great value in terms of analytics.

Sense is a well made, good looking firewall and wireless router. The idea is that you connect it to your existing router (usually supplied by your broadband provider), and then ensure that all other computers and devices on your networks connect to Sense, using either a wired or wireless connection. Sense has 3 LAN Ethernet ports as well as wireless capability.

This is not a full review, but a report on my first look.

image

Currently you can only set up Sense using a device running iOS or Android. You install the Sense app, then follow several steps to create the Sense network. You can rename the Sense wifi identifier and change the password. The device you use to setup Sense becomes the sole admin device, so choose carefully. If you lose it, you have to reset the Sense and start again.

My initial effort used the Android app. I ran into a problem though. The Sense setup said it required permission to use location:

image

I am not sure why this is necessary but I was happy to agree. I clicked continue and verified that Location was on:

image

Then I returned to the Sense app but it still did not think Location was available and I could not continue.

Next I tried the iOS Sense app on an iPad. This worked better, though I did hit a glitch where the setup did not think I had connected to the wifi point even though I had. Quitting and restarting the app fixed this. I am sure these glitches in the app will be fixed soon.

I was impressed by the 16 character password generated by default. Yes I have changed it!

image

I was up and running, and started connecting devices to the Sense network. Each device you connect shows up as a protected device in the Sense app.

There are very limited settings available (and no, you cannot use a web browser instead, only the app). You can set a few network things: IP address, DHCP range. You can configure port forwarding. You can set the brightness of the display, which normally just shows the time of day. You can view an event log which shows things like devices added and threats detected; it is not a firewall log. You can block a device from the internet. You can send feedback to the Sense team. And that is about it, apart from the following protection settings:

image

The above is the default setting. What exactly do Tracking protection and Identify device type do? I cannot find this documented anywhere, but I recall in our briefing there was discussion of blocking tracking by advertisers and identifying IoT devices in order to build up a knowledgebase of any security flaws in order to apply protection automatically. But I may be wrong and do not have any detail on this. I enabled all the options on my Sense.

As it happens, I have a device which I know to be insecure, a China-made IP camera which I wrote about here. I plugged it into the Sense and waited to see what would happen.

Nothing happened. Sense said everything was fine.

image

Is everything OK? I confess that I did not attach Sense directly to my router. I attached it to my network which is behind another firewall. I used this second firewall to inspect the traffic to and from the Sense. I also disconnected all the devices other than the IP Camera.

I noticed a couple of things. One is that the Sense makes frequent connections to computers running on AWS (Amazon Web Services). No doubt this is where the F-Secure Security Cloud is hosted. The Security Cloud is the intelligence piece in the Sense setup. Not all traffic is sent to the Security Cloud for checking, but some is sent there. In fact, I was surprised at the frequency of calls to AWS, and hope that F-Secure has got its scaling right since clearly this could impact performance.

The other thing I noticed is that, as expected, the IP Camera was making outbound calls to a couple of servers, one in China and one in Singapore, according to the whois tools I used. Both seem to be related to Alibaba in China. Alibaba is not only a large retailer and wholesaler, but also operates a cloud hosting service, so this does not tell me much about who is using these servers. However my guess is that this is some kind of registration on a peer to peer network used for access to these cameras over the internet. I don’t like this, but there is no way I can see in the camera settings to disable it.

Should Sense have picked this up as a threat? Well, I would have liked it if it had, but appreciate that merely making outbound calls to servers in China is not necessarily a threat. Perhaps if someone tried to hack into my camera the intrusion attempt would be picked up as a threat; it is not easy to test.

On the plus side, Sense makes it very easy to block the camera from internet access, but to do that I have to be aware that it might be a threat, as well as finding other ways to access it remotely if that is something I require.

Sense did work perfectly when I tried to access a dummy threat site from a web browser.

image

If you disagree with Sense, there is no way to proceed to the dangerous site, other than disabling browser protection completely. Perhaps a good thing, perhaps not.

It all comes down to trust. If you trust F-Secure’s Security Cloud and technology to detect and prevent any dangerous traffic, Sense is a great device and well worth the cost – currently £169.00 and then a subscription of £8.50 per month after the first year. If you think it may make mistakes and cause you hassle, or fail to detect attacks or malware downloads, then it is not a good deal. At this point it is hard for me to tell how good a job the device is doing. Unfortunately I am not set up to click on lots of dangerous sites for a more extensive test.

I do think the product will improve substantially in the first few months, as it builds up data on security risks in common devices and on the web.

Unfortunately more technical users will find the limited options frustrating, though I understand that F-Secure wants to limit access to the device for security reasons as well as making it simpler to use. The documentation needs improving and no doubt that will come soon.

More information on Sense is here.


The threat from insecure “security” cameras and how it goes unnoticed by most users

Ars Technica published a piece today about insecure network cameras which reminded me of my intention to post about my own experience.

I wanted to experiment with IP cameras and Synology’s Surveillance Station so I bought a cheap one from Amazon to see if I could get it to work. The brand is Knewmart.

image

Most people buying this do not use it with a Synology. The idea is that you connect it to your home network (most will use wifi), install an app on your smartphone, and enjoy the ability to check on how well your child is sleeping, for example, without the trouble of going up to her room. It also works when you are out and about. Users are happy:

So far, so good for this cheap solution for a baby monitor. It was easy to set up, works with various apps (we generally use onvif for android) and means that both my wife and I can monitor our babies while they’re sleeping on our phones. Power lead could be longer but so far very impressed with everything. The quality of both the nightvision and the normal mode is excellent and clear. The audio isn’t great, especially from user to camera, but that’s not what we bought it for so can’t complain. I spent quite a long time looking for an IP cam as a baby monitor, and am glad we chose this route. I’d highly recommend.

My needs are a bit different especially as it did not work out of the box with Surveillance Station and I had to poke around a bit. FIrst I discovered that the Chinese-made camera was apparently identical to a model from a slightly better known manufacturer called Wanscam, which enabled me to find a bit more documentation, but not much. I also played around with a handy utility called Onvif Device Manager (ONVIF being an XML standard for communicating with IP cameras), and used the device’s browser-based management utility.

This gave me access to various settings and the good news is that I did get the camera working to some extent with Surveillance Station. However I also discovered a number of security issues, starting of course with the use of default passwords (I forget what the admin password was but it was something like ‘password’).

The vendor wants to make it easy for users to view the camera’s video over the internet, for which it uses port forwarding. If you have UPnP enabled on your router, it will set this up automatically. This is on by default. In addition, something strange. There is a setting for UPnP but you will not find it in the browser-based management, not even under Network Settings:

image

Yet, if you happen to navigate to [camera ip no]/web/upnp.html there it is:

image

Why is this setting hidden, even from those users dedicated enough to use the browser settings, which are not even mentioned in the skimpy leaflet that comes with the camera? I don’t like UPnP and I do not recommend port forwarding to a device like this which will never be patched and whose firmware has a thrown-together look. But it may be because even disabling UPnP port forwarding will not secure the device. Following a tip from another user (of a similar camera), I checked the activity of the device in my router logs. It makes regular outbound connections to a variety of servers, with the one I checked being in Beijing. See here for a piece on this, with regard to Foscam cameras (also similar to mine).

I am not suggesting that there is anything sinister in this, and it is probably all about registering the device on a server in order to make the app work through a peer-to-peer network over the internet. But it is impolite to make these connections without informing the user and with no way that I have found to disable them.

Worse still, this peer-to-peer network is not secure. I found this analysis which goes into detail and note this remark:

an attacker can reach a camera only by knowing a serial number. The UDP tunnel between the attacker and the camera is established even if the attacker doesn’t know the credentials. It’s useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials. Then, the attacker can just try to bruteforce credentials of the camera

I am not sure that this is the exact system used by my camera, but I think it is. I have no intention of installing the P2PIPC Android app which I am meant to use with it.

The result of course is that your “security” camera makes you vulnerable in all sorts of ways, from having strangers peer into your bedroom, to having an intrusion into your home or even business network with unpredictable consequences.

The solution if you want to use these camera reasonably safely is to block all outbound traffic from their IP address and use a different, trusted application to get access to the video feed. As well as, of course, avoiding port forwarding and not using an app like P2PIPC.

There is a coda to this story. I wrote a review on Amazon’s UK site; it wasn’t entirely negative, but included warnings about security and how to use the camera reasonably safely. The way these reviews work on Amazon is that those with the most “helpful votes” float to the top and are seen by more potential purchasers. Over the course of a month or so, my review received half a dozen such votes and was automatically highlighted on the page. Mysteriously, a batch of negative votes suddenly appeared, sinking the review out of sight to all but the most dedicated purchasers. I cannot know the source of these negative votes (now approximately equal to the positives) but observe that Amazon’s system makes it easy for a vendor to make undesirable reviews disappear.

What I find depressing is that despite considerable publicity these cameras remain not only on sale but highly popular, with most purchasers having no idea of the possible harm from installing and using what seems like a cool gadget.

We need, I guess, some kind of kitemark for security along with regulations similar to those for electrical safety. Mothers would not dream of installing an unsafe electrical device next to their sleeping child. Insecure IoT devices are also dangerous, and somehow that needs to be communicated beyond those with technical know-how.

Fake TalkTalk Frequently Asked Questions

I use TalkTalk for broadband and landline – though I never signed up with TalkTalk, I signed up with a smaller provider that was taken over – and recently I have been plagued with calls from people claiming to be from TalkTalk, but who in fact have malicious intent. If I am busy I just put the phone down, but sometimes I chat with them for a while, to discover more about what they are trying to do.

Rather than write a long general piece about this problem, I thought the best approach would be a Q&A with answers to the best of my knowledge.

Why so many fake TalkTalk calls?

I have two landline numbers, and until recently only the non-TalkTalk number ever got called by scammers. This makes me think that the flood of TalkTalk calls is related to data stolen from the company, perhaps in October 215 or perhaps in subsequent attacks. Some victims report that scammers know their name and account number; in my case I don’t have any evidence for that. On a couple of occasions I have asked the caller to state my account number but they have given me a random number. However I do think that my telephone number is on a list of valid TalkTalk numbers that is circulating among these criminal companies.

How do I know if it is really TalkTalk?

My advice is to assume that is it not TalkTalk. If you think TalkTalk really wants to get in touch with you, put the phone down and call TalkTalk customer service, either from another number or after waiting 15 minutes to make sure that the person who called you has really terminated the call.

How does the caller know my Computer License ID?

A common part of these scripts is that the caller will show that he knows your “computer license ID” by guiding you to show it on your screen and then reading it to you. They do this by getting to you open a command window and type assoc:

image

The way this works is simple. The number you see next to .ZFSendToTarget is not a license ID. The abbreviation stands for Class ID and it is part of the plumbing of Windows, the same on every Windows PC.

What about all the malware errors and warnings on my PC?

This is a core part of the fake TalkTalk (and fake Microsoft) script. Our server has picked up warning messages from your computer, they say, and they show you a list of them.

The way this works is that the scammer guides you to open a Windows utility called Event Viewer, usually via the Run dialog (type eventvwr). Then they get you to filter it to show “Administrative events” which filters the log to show only errors and warnings.

Now, you have to agree that the number of errors and warnings Windows manages to generate is remarkable. My PC has over 9,000:

image

However, these messages are not generated by malware, nor are they broadcast to the world (or to TalkTalk servers). They are simply log entries generated by the operating system. If you have time on your hands, you can look up the reason for each one and even fix many of them; but in most cases they are just noise. Real malware, needless to say, does not make helpful logs of its activity but keeps quiet about it.

What does Fake TalkTalk really want to do?

Once your fake TalkTalk caller has persuaded you that something is wrong with your PC or router or internet connection, the next step is invariably to get remote access to your PC. They do this by guiding you to a website such as Ammyy or Logmein Rescue, and initiate a support session. These are legitimate services used by support engineers, but unfortunately if you allow someone untrustworthy to log onto your PC bad things will happen. Despite what the caller may tell you, these sessions are not just for messaging but enable the scammer to see your computer screen and even take over mouse and keyboard input.

Windows will generally warn you before you allow a remote session to start. You have to pass a dialog that says something like “Do you want to allow this app to make changes to your PC?” or similar. This warning is there for a reason! For sure say No if fake TalkTalk is on the line.

Note though that this remote control software is not in itself malware. Therefore you will see that the software that is trying to run is from a legitimate company. Unfortunately that will not protect you when someone who means you harm is at the other end of the connection.

OK, so Fake TalkTalk has a remote connection. What next?

Despite my interest in the goals of these scammers, I have never gone so far as to allow them to connect. There are ways to do this relatively safely, with an isolated virtual machine, but I have not gone that far. However I have seen reports from victims.

There is no single fake TalkTalk, but many organisations out there who do this impersonating. So the goals of these various organisations (and they are generally organisations rather than individuals) will vary.

A known scam is that the scammer will tell you a refund is due because of your slow internet connection. They show you that the sum has been paid, via a fake site, but oh dear, it is more than is due! For example, you are due £200 but have been paid £1200. Oops. Would you mind repaying the £1000 or I will be fired? So you send off £1000 but it turns out you were not paid any money at all.

Other possibilities are that your PC becomes part of a bot network, to be rented out to criminals for various purposes; or that the “engineer” finds such severe “problems” with your PC that you have to purchase their expensive anti-malware software or service; or your PC may be used to send out spam; or a small piece of software is installed that captures your keystrokes so your passwords will be sent to the scammer; or the scammer will search your documents for information they can use for identity theft.

Many possibilities, so for sure it is better not to let these scammers, or anyone you do not trust, to connect to your PC.

Who are the organisations behind Fake TalkTalk?

When I am called by TalkTalk impersonators, I notice several things. One is that the call quality is often poor, thanks to use of a cheap voice over IP connection from a far-off country. Second, I can hear many other calls taking place in the background, showing that these are not just individuals but organisations of some size. In fact, a common pattern is that three people are involved, one who initiates the call, a supervisor who makes the remote connection, and a third “engineer” who takes over once the connection is made.

One thing you can be sure of is that the are not in the UK. In fact, all the calls I have had seem to originate from outside Europe. This means of course that they are outside the scope of our regulators and difficult for police or fraud investigators to track down.

If you ask one of these callers where they are calling from, they often say they are in London. You can have some fun by asking questions like “what is the weather like in London?” or “what is the nearest tube station?”, they probably have no idea.

What is being done about this problem?

Good question. I have reported all my calls to TalkTalk, as well as using “Report abuse” forms on LogMeIn with the PIN numbers used by the criminals. On one occasion I had a scammer’s Google email address given to me; there is no way I can find to report this to Google which perhaps shows the limits of how much the company cares about our security.

I am not optimistic then that much of substance is being done or can be done. Addressing the problem at source means visiting the country where the scam is based and working with local law enforcement; even if that worked, other organisations in other countries soon pop up.

That means, for the moment, that education and warning is essential, imperfect though it is. TalkTalk, it seems to me, could do much better. Have they contacted all their customers will information and warnings? I don’t believe so. It is worried, perhaps, more about its reputation than the security of its customers.

DatAshur encrypted drives: protect your data but be sure to back it up too

The iStorage DataAshur USB flash drive is a neat way to encrypt your data. Lost USB storage devices are a common cause of data theft anxiety: in most cases the finder won’t care about your data but you can never be certain.

image

The DatAshur is simple to operate but highly secure, presuming it meets the advertised specification. All data written to the drive is automatically encrypted with 256-bit AES CBC (Advanced Encryption Standard with Cipher Block Chaining) and meets the US FIPS 140-2 standard. The encryption is transparent to the operating system, since decryption is built into the device and enabled by entering a PIN of 7 to 15 digits.

Note that a snag with this arrangement is that if your PC is compromised a hacker might be able to read the data while the drive is connected. If you are really anxious you could get round this by working offline, or perhaps using Microsoft’s clever Windows to Go (WTG) technology where you boot from a USB device and work in isolation from the host operating system. Unfortunately DatAshur does not support WTG (as far as I know) but there are alternatives which do, or you could boot into WTG and then insert your DatAshur device.

Normally you enter the PIN to unlock the drive before connecting it to a PC or Mac. This does mean that the DatAshur requires a battery, and a rechargeable battery is built in. However if the battery is exhausted you can still get your data back by recharging the device (it charges whenever it is plugged into a USB port).

OK, so what happens if a bad guy gets your device and enters PINs repeatedly until the right one is found? This will not work (unless you chose 1234567 or something like that) since after 10 failed tries the device resets, deleting all your data.

You should avoid, then, the following scenario. You give your DatAshur drive to your friend to show it off. “I’ve just updated all my expenses on this and there is no way you’ll be able to get at the data”. Friend fiddles for a bit. “Indeed,and neither can you”.

Here then is the security dilemma: the better the security, the more you risk losing access to your own data.

The DatAshur does have an additional feature which mitigates the risk of forgetting the PIN. You can actually set two PINs, a user PIN and an admin PIN. The admin PIN could be retained by a security department at work, or kept in some other safe place. This still will not rescue you though if more than 10 attempts are made.

What this means is that data you cannot afford to lose must be backed up as well as encrypted, with all the complexity that backup involves (must be off-site and secure).

Still, if you understand the implications this is a neat solution, provided you do not need to use those pesky mobile devices that lack USB ports.

The product tested has a capacity from 4GB to 32GB and has a smart, strong metal case. The plastic personal edition runs from 8GB to 32GB and is less robust. An SSD model offers from 30GB to 240GB, and larger desktop units support SSD or hard drive storage from 64GB to 6TB, with USB 3.0 for fast data transfer.

Prices range from around £30 inc VAT for an 8GB Personal USB stick, to £39.50 for the 4GB professional device reviewed here, up to £470 for the monster 6TB drive or £691 for a USB 3.0 external SSD (prices taken from a popular online retailer). The cost strikes me as reasonable for well-made secure storage.

More information on DatAshur is here.

Review: Kingston DataTraveler Locker+G2 secure USB Flash drive

Ever lost a USB Flash drive? Do you even know? There are so many around now that it would be easy to drop one and not to notice.

Most of the time that does not matter; but what if there is confidential data on there? This can be hard to avoid. Perhaps you want the drive for backup of your most important stuff, or to exchange data with a business partner.

The obvious solution is to encrypt the data. There are a variety of approaches, but the advantage of the Kingston DataTraveler Locker+ G2 is that you (or your staff) have no choice: if you do not set a password, you cannot use the drive.

image

The actual drive is a smart metal affair which is surprisingly weighty for its size. You can attach it to a key ring with a supplied loop. Stick it into a Mac or PC (no Linux support sadly) and two drives are detected, one a tiny 10MB drive and the other apparently empty. In order to setup the drive or access the data, you have to run Kingston’s DTLocker utility.

image

The password requirements are a minimum of 6 characters with at least three of upper case, lower case, numeric and special characters.

While 6 characters seems weak it is not too bad considering that after 10 wrong attempts the device will block access and require a password reset. When the password is reset the device is automatically reformatted. In other words, if a bad guy gets your Flash drive, he will be able to reset the password and use the device, but will not see your data.

If a good guy finds your device, he can read your contact details and get in touch to return it to you.

image

The general approach seems reasonable, and is a great improvement over sticking confidential data on a Flash drive and hoping for the best. However I did encounter an issue where the utility refused to run. Another drive which also appears as two drives was already connected, and somehow this tripped up the DTLocker utility. When I disconnecte the other drive, all was well. It is something to do with available drive letters, even though I still had plenty free.

Once set up, the DTLocker stays resident and offers a context menu in the Windows notification area.

image

The device formats as FAT32 but I successfully reformatted it as NTFS, just to see if it would work. It did. I also had success using the DataTraveler on a Mac.

With five year warranty and an inexpensive price, the DataTraveler Locker+ is easy to recommend. There are a couple of caveats. Kingston’s firmware could do with a bit of work to overcome occasional drive letter problems. Second, I would like to see more information about the type of drive encryption used. What if a determined data thief stripped down the drive and read the data? The absence of more information suggests that Kingston is aiming this at those who want casual data protection, not the highest level of security. In normal circumstances though, it is more than enough.

Want a free Data Traveler Locker? Look out for our competition coming soon.

   

Document security and Apple iCloud

I have just set up iCloud on three Apple devices: a Mac, an iPad 2, and an iPhone 4.

image

On the iOS devices I was asked if I wanted to use iCloud, and when I agreed, watched as all my documents were transferred from the device to iCloud.com.

I then went to the iCloud website, signed in with my Apple ID – username and password – and saw that all my documents were there ready for download.

I also tried editing a document on the iPhone. In moments, the edited document was also updated on the iPad.

All very convenient; but I realised that I’d just sent up to the cloud a couple of documents that include information I do not want to share. How safe is it on iCloud? Does Apple encrypt the documents?

I looked at Apple’s iCloud information and on the support site and found nothing about security on a quick look, other than that traffic is SSL encrypted, so here are my own observations.

First, access to iCloud.com is protected only by the username and password which form your Apple ID. Sony recently reported a breach of 93,000 accounts on the PlayStation network, apparently based on a list of username/password combinations that a hacker found elsewhere. In other words, some other popular site(s) suffered a security breach, and the hacker automated an attack on the PlayStation Network on the assumption that the same credentials might be used there. The majority failed, but 93,000 succeeded, demonstrating that this is not a small risk.

Second, I wondered if I could mitigate the risk by encrypting my iCloud documents. I cannot find a way to set a password on a Pages document in iOS, but I can do so on the Mac. I password-protected a document, and then uploaded it to iCloud. Next, I opened this on the iPad. I was prompted for the password – good. However, I then modified the document in Pages on the iPad. This automatically updated the document on iCloud, but it was no longer password protected. I do not recall seeing a warning about the password protection being removed. It looks as if password protection does not iWork if you use iOS.

Third, I found this statement in Apple’s terms of service for iwork.com. It is repeated in the terms for MobileMe, and which I cannot yet find terms for iCloud.com it may well be the same there too:

Access to Your Account and Content

You acknowledge and agree that Apple may access, use, preserve and/or disclose your account information and Content if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce these TOS, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users or the public as required or permitted by law.

I guess what this means is that if you have confidential documents, iCloud.com is not a sensible place to keep them.

I would like to see some way of disabling cloud sync for specified documents, but as far as I can tell there is no such feature yet.

Further, if your Apple ID is the same username and password that you use on dozens of other sites on which you have been required to register, it would be worth changing it to something long and unique. I would also suggest reviewing the insecurity questions, which are not for your protection, but to reduce the number of password reset requests which support have to deal with. The best answers are those which are not true and therefore potentially discoverable, but made-up ones, as essentially these are secondary passwords.

New Sony PlayStation Network hack: not as bad as you may have heard

Sony’s Chief Security Officer Philip Reitinger has reported a new attack on the PlayStation network leading to headlines stating Sony hacked again. Has the company not learned from the incidents earlier this year?

Actually, it probably has; the new hacking attempt does not exploit any weakness in Sony’s network unless you consider any system reliant on username/password to be weak – not an unreasonable opinion, but given that the likes of Apple and Amazon and PayPal still use it, hardly fair to single out Sony.

If you read the statement carefully, it says that somebody obtained a large list of username/password pairs and ran them against Sony’s network. Further:

given that … the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks

Because of the large number of PlayStation users, there were still 93,000 successful matches, which to its credit Sony says it detected – presumably there was a pattern to the attack, such as a limited range of source IP numbers or other evidence of automated log-in attempts.

If Sony is right, and the list of passwords came from another source, there is no reason why the hacker might not try the same list against other targets and this is not evidence of a weakness in the PlayStation network itself.

As Reitinger notes:

We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

It is good advice, though can be impractical if you have a very large number of online accounts. Something like PasswordSafe or Keypass is near-essential for managing them, if you are serious about maintaining numerous different combinations.

From what we know so far though, this is not evidence of continued weakness in the PlayStation network; rather, it is evidence of the continued prevalence of hacking attempts. Kudos to Sony for its open reporting.

An iOS security tip: tap and hold links in emails to preview links

Today I was using an iPad and received a fake email designed to look as if it were from Facebook. It was a good imitation of the Facebook style.

image

In particular, the links for sign in look OK.

Outlook on Windows displays the actual link when you hover the mouse pointer over the link. As you can see, in this case it is nothing to do with Facebook:

image

How do you do this on iOS? There is no mouse hover (though it could be down with a proximity sensor) but if you tap and hold on the link, iOS pops up a dialog revealing the scam:

image

Worth mentioning as tapping and holding a link to inspect it is not obvious and some users may not be aware of this feature.

The iPad is still worse than Outlook for email security. Outlook does not download images by default. Downloading the image tells the spammer that you have opened the message:

image

The iPad mail client downloads all images.

image

In mitigation, most malware on web sites will not run on iOS. However you could still give away your password or other information if you are tricked by a deceptive web page or fake login.

Hiding links is a feature built into HTML. The designers of HTML figured out that we would rather see a friendly plain English link than a long URL. Unfortunately this feature, and related ones like the ability to make an image a link, play into the hands of the scammers and it is necessary to look at the real link before you follow it.

A better solution would be authenticated email, so that fake Facebook emails would be detected before they are displayed. Unfortunately we are still a long way from using authenticated emails as the norm.

Monitor your home when away: Jabbakam IP camera service reviewed

About to head off for your summer break? What may happen back home is always a concern; but if you want a bit more piece of mind, how about a live webcam view of what is going on in places you care about?

Of course you can easily purchase a security camera kit from your favourite electronic hobbyist store, but it is not a complete solution. Recording video to a hard drive is all very well, but what if the thief takes a hammer to it or even nabs it? Further, returning home to find two-week old footage of a break-in is of limited use compared to a live alert.

In other words, you need not only a camera but also a service. This used to be expensive, but does not need to be in the internet era. What about a cheap camera that sends images to a web site, enabling you to log in from anywhere and check what is going on? And how about an email or SMS alert triggered by motion detection?

This is exactly what Jabbakam does. The basic kit costs £59.95 and £5.95 per month, for which you get an IP camera and 14 days of video footage stored online. You can also use your own camera if you have a suitable one; the main requirement is that it supports motion detection, enabling the alerting feature, and reducing the number of images that need to be sent to the web service. More expensive subscriptions store video for longer; £13.95 per month gets you 90 days. SMS alerts cost extra.

Developed by a company based in Guernsey, the product is not so much the camera, but rather the web application and service. The camera itself is a simple but well-made affair, with a wall-mountable bracket and a swivel joint that lets you angle it. You can also adjust focus by twisting the lens.

image

Under the webcam are ports for wired Ethernet and power.

image

Given that the serial number starts YCAM I have a hunch it may be made for Jabbakam by Y-cam.

The camera must be wired to your broadband router. If you are on a business network you may have firewall issues; I tried on my own network and found it did not work behind the firewall, but have not investigated in detail.

So how about the service? I signed into Jabbakam and found that set-up was pretty much IJW (It Just Works). The camera was detected and I could view live images. Video is a slightly generous term, since each image is one second apart, and the quality is not fantastic, but gives you a good idea of what is happening. You can add additional cameras if you want fuller coverage of your home or workplace.

I also set up email alerting. This seems to work well. When the camera detects movement you get an email with a still image attached. Click the link in the email, and you can view the video. There is also an iPhone app that shows recent images. Advanced settings let you schedule alerts, for example to avoid having them active when you yourself are moving around.

image

Jabbakam is not just intended for security. The web service also has the concept of networks, which enable you to share your camera with others. The number is small at the moment, but I did see one called Birdboxes of Jabbakam which I guess is for ornithology enthusiasts.

There was one aspect of Jabbakam that I found troubling. A mash-up with Google Maps lets you see where cameras of other users are installed, and clicking on a camera gives you the name and address of the user and a link to send a private message:

image

I discovered that this information sharing is on by default:

image

This surprised me, as I would have thought that a typical Jabbakam user would be sensitive about sharing these details.

Finally, I should mention that Jabbakam has a RESTful API for developers, though the documentation is incomplete at the moment and the application showcase is empty. Apparently this is being worked on, so watch the space if you are interested.

A good buy? On the plus side, Jabbakam seems to me nicely done, easy to set up, and delivers what is claimed: remote video monitoring of any indoor location. The alert service is particularly useful, though this only works if the camera is pointing somewhere that should normally be motion-free. For example, pointing the camera at a car parked on the street outside your home might seem a good idea, except that the alert would go off every time someone walked by. I should also observe that the supplied camera only works indoors, so it would need to be at a window.

There are questions of course about the effectiveness of CCTV security. Blurry pictures of hooded figures may not do you much good in terms of identifying the villains, though the alert service could be an advantage.

What are the social implications if large numbers of people choose to stick surveillance cameras all over their homes? I am not sure, but it is a question worth reflecting on.

That said, for someone on holiday who would like the ability to check that everything is in order at home, this seems to me a neat and smart solution.