Tag Archives: security

Review: Kingston DataTraveler Locker+G2 secure USB Flash drive

Leave a reply

Ever lost a USB Flash drive? Do you even know? There are so many around now that it would be easy to drop one and not to notice.

Most of the time that does not matter; but what if there is confidential data on there? This can be hard to avoid. Perhaps you want the drive for backup of your most important stuff, or to exchange data with a business partner.

The obvious solution is to encrypt the data. There are a variety of approaches, but the advantage of the Kingston DataTraveler Locker+ G2 is that you (or your staff) have no choice: if you do not set a password, you cannot use the drive.

image

The actual drive is a smart metal affair which is surprisingly weighty for its size. You can attach it to a key ring with a supplied loop. Stick it into a Mac or PC (no Linux support sadly) and two drives are detected, one a tiny 10MB drive and the other apparently empty. In order to setup the drive or access the data, you have to run Kingston’s DTLocker utility.

image

The password requirements are a minimum of 6 characters with at least three of upper case, lower case, numeric and special characters.

While 6 characters seems weak it is not too bad considering that after 10 wrong attempts the device will block access and require a password reset. When the password is reset the device is automatically reformatted. In other words, if a bad guy gets your Flash drive, he will be able to reset the password and use the device, but will not see your data.

If a good guy finds your device, he can read your contact details and get in touch to return it to you.

image

The general approach seems reasonable, and is a great improvement over sticking confidential data on a Flash drive and hoping for the best. However I did encounter an issue where the utility refused to run. Another drive which also appears as two drives was already connected, and somehow this tripped up the DTLocker utility. When I disconnecte the other drive, all was well. It is something to do with available drive letters, even though I still had plenty free.

Once set up, the DTLocker stays resident and offers a context menu in the Windows notification area.

image

The device formats as FAT32 but I successfully reformatted it as NTFS, just to see if it would work. It did. I also had success using the DataTraveler on a Mac.

With five year warranty and an inexpensive price, the DataTraveler Locker+ is easy to recommend. There are a couple of caveats. Kingston’s firmware could do with a bit of work to overcome occasional drive letter problems. Second, I would like to see more information about the type of drive encryption used. What if a determined data thief stripped down the drive and read the data? The absence of more information suggests that Kingston is aiming this at those who want casual data protection, not the highest level of security. In normal circumstances though, it is more than enough.

Want a free Data Traveler Locker? Look out for our competition coming soon.

   

Document security and Apple iCloud

1 Reply

I have just set up iCloud on three Apple devices: a Mac, an iPad 2, and an iPhone 4.

image

On the iOS devices I was asked if I wanted to use iCloud, and when I agreed, watched as all my documents were transferred from the device to iCloud.com.

I then went to the iCloud website, signed in with my Apple ID – username and password – and saw that all my documents were there ready for download.

I also tried editing a document on the iPhone. In moments, the edited document was also updated on the iPad.

All very convenient; but I realised that I’d just sent up to the cloud a couple of documents that include information I do not want to share. How safe is it on iCloud? Does Apple encrypt the documents?

I looked at Apple’s iCloud information and on the support site and found nothing about security on a quick look, other than that traffic is SSL encrypted, so here are my own observations.

First, access to iCloud.com is protected only by the username and password which form your Apple ID. Sony recently reported a breach of 93,000 accounts on the PlayStation network, apparently based on a list of username/password combinations that a hacker found elsewhere. In other words, some other popular site(s) suffered a security breach, and the hacker automated an attack on the PlayStation Network on the assumption that the same credentials might be used there. The majority failed, but 93,000 succeeded, demonstrating that this is not a small risk.

Second, I wondered if I could mitigate the risk by encrypting my iCloud documents. I cannot find a way to set a password on a Pages document in iOS, but I can do so on the Mac. I password-protected a document, and then uploaded it to iCloud. Next, I opened this on the iPad. I was prompted for the password – good. However, I then modified the document in Pages on the iPad. This automatically updated the document on iCloud, but it was no longer password protected. I do not recall seeing a warning about the password protection being removed. It looks as if password protection does not iWork if you use iOS.

Third, I found this statement in Apple’s terms of service for iwork.com. It is repeated in the terms for MobileMe, and which I cannot yet find terms for iCloud.com it may well be the same there too:

Access to Your Account and Content

You acknowledge and agree that Apple may access, use, preserve and/or disclose your account information and Content if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce these TOS, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users or the public as required or permitted by law.

I guess what this means is that if you have confidential documents, iCloud.com is not a sensible place to keep them.

I would like to see some way of disabling cloud sync for specified documents, but as far as I can tell there is no such feature yet.

Further, if your Apple ID is the same username and password that you use on dozens of other sites on which you have been required to register, it would be worth changing it to something long and unique. I would also suggest reviewing the insecurity questions, which are not for your protection, but to reduce the number of password reset requests which support have to deal with. The best answers are those which are not true and therefore potentially discoverable, but made-up ones, as essentially these are secondary passwords.

New Sony PlayStation Network hack: not as bad as you may have heard

Leave a reply

Sony’s Chief Security Officer Philip Reitinger has reported a new attack on the PlayStation network leading to headlines stating Sony hacked again. Has the company not learned from the incidents earlier this year?

Actually, it probably has; the new hacking attempt does not exploit any weakness in Sony’s network unless you consider any system reliant on username/password to be weak – not an unreasonable opinion, but given that the likes of Apple and Amazon and PayPal still use it, hardly fair to single out Sony.

If you read the statement carefully, it says that somebody obtained a large list of username/password pairs and ran them against Sony’s network. Further:

given that … the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks

Because of the large number of PlayStation users, there were still 93,000 successful matches, which to its credit Sony says it detected – presumably there was a pattern to the attack, such as a limited range of source IP numbers or other evidence of automated log-in attempts.

If Sony is right, and the list of passwords came from another source, there is no reason why the hacker might not try the same list against other targets and this is not evidence of a weakness in the PlayStation network itself.

As Reitinger notes:

We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

It is good advice, though can be impractical if you have a very large number of online accounts. Something like PasswordSafe or Keypass is near-essential for managing them, if you are serious about maintaining numerous different combinations.

From what we know so far though, this is not evidence of continued weakness in the PlayStation network; rather, it is evidence of the continued prevalence of hacking attempts. Kudos to Sony for its open reporting.

An iOS security tip: tap and hold links in emails to preview links

Leave a reply

Today I was using an iPad and received a fake email designed to look as if it were from Facebook. It was a good imitation of the Facebook style.

image

In particular, the links for sign in look OK.

Outlook on Windows displays the actual link when you hover the mouse pointer over the link. As you can see, in this case it is nothing to do with Facebook:

image

How do you do this on iOS? There is no mouse hover (though it could be down with a proximity sensor) but if you tap and hold on the link, iOS pops up a dialog revealing the scam:

image

Worth mentioning as tapping and holding a link to inspect it is not obvious and some users may not be aware of this feature.

The iPad is still worse than Outlook for email security. Outlook does not download images by default. Downloading the image tells the spammer that you have opened the message:

image

The iPad mail client downloads all images.

image

In mitigation, most malware on web sites will not run on iOS. However you could still give away your password or other information if you are tricked by a deceptive web page or fake login.

Hiding links is a feature built into HTML. The designers of HTML figured out that we would rather see a friendly plain English link than a long URL. Unfortunately this feature, and related ones like the ability to make an image a link, play into the hands of the scammers and it is necessary to look at the real link before you follow it.

A better solution would be authenticated email, so that fake Facebook emails would be detected before they are displayed. Unfortunately we are still a long way from using authenticated emails as the norm.

Monitor your home when away: Jabbakam IP camera service reviewed

1 Reply

About to head off for your summer break? What may happen back home is always a concern; but if you want a bit more piece of mind, how about a live webcam view of what is going on in places you care about?

Of course you can easily purchase a security camera kit from your favourite electronic hobbyist store, but it is not a complete solution. Recording video to a hard drive is all very well, but what if the thief takes a hammer to it or even nabs it? Further, returning home to find two-week old footage of a break-in is of limited use compared to a live alert.

In other words, you need not only a camera but also a service. This used to be expensive, but does not need to be in the internet era. What about a cheap camera that sends images to a web site, enabling you to log in from anywhere and check what is going on? And how about an email or SMS alert triggered by motion detection?

This is exactly what Jabbakam does. The basic kit costs £59.95 and £5.95 per month, for which you get an IP camera and 14 days of video footage stored online. You can also use your own camera if you have a suitable one; the main requirement is that it supports motion detection, enabling the alerting feature, and reducing the number of images that need to be sent to the web service. More expensive subscriptions store video for longer; £13.95 per month gets you 90 days. SMS alerts cost extra.

Developed by a company based in Guernsey, the product is not so much the camera, but rather the web application and service. The camera itself is a simple but well-made affair, with a wall-mountable bracket and a swivel joint that lets you angle it. You can also adjust focus by twisting the lens.

image

Under the webcam are ports for wired Ethernet and power.

image

Given that the serial number starts YCAM I have a hunch it may be made for Jabbakam by Y-cam.

The camera must be wired to your broadband router. If you are on a business network you may have firewall issues; I tried on my own network and found it did not work behind the firewall, but have not investigated in detail.

So how about the service? I signed into Jabbakam and found that set-up was pretty much IJW (It Just Works). The camera was detected and I could view live images. Video is a slightly generous term, since each image is one second apart, and the quality is not fantastic, but gives you a good idea of what is happening. You can add additional cameras if you want fuller coverage of your home or workplace.

I also set up email alerting. This seems to work well. When the camera detects movement you get an email with a still image attached. Click the link in the email, and you can view the video. There is also an iPhone app that shows recent images. Advanced settings let you schedule alerts, for example to avoid having them active when you yourself are moving around.

image

Jabbakam is not just intended for security. The web service also has the concept of networks, which enable you to share your camera with others. The number is small at the moment, but I did see one called Birdboxes of Jabbakam which I guess is for ornithology enthusiasts.

There was one aspect of Jabbakam that I found troubling. A mash-up with Google Maps lets you see where cameras of other users are installed, and clicking on a camera gives you the name and address of the user and a link to send a private message:

image

I discovered that this information sharing is on by default:

image

This surprised me, as I would have thought that a typical Jabbakam user would be sensitive about sharing these details.

Finally, I should mention that Jabbakam has a RESTful API for developers, though the documentation is incomplete at the moment and the application showcase is empty. Apparently this is being worked on, so watch the space if you are interested.

A good buy? On the plus side, Jabbakam seems to me nicely done, easy to set up, and delivers what is claimed: remote video monitoring of any indoor location. The alert service is particularly useful, though this only works if the camera is pointing somewhere that should normally be motion-free. For example, pointing the camera at a car parked on the street outside your home might seem a good idea, except that the alert would go off every time someone walked by. I should also observe that the supplied camera only works indoors, so it would need to be at a window.

There are questions of course about the effectiveness of CCTV security. Blurry pictures of hooded figures may not do you much good in terms of identifying the villains, though the alert service could be an advantage.

What are the social implications if large numbers of people choose to stick surveillance cameras all over their homes? I am not sure, but it is a question worth reflecting on.

That said, for someone on holiday who would like the ability to check that everything is in order at home, this seems to me a neat and smart solution.