Article

HP sued over security flaw in printers | Security – CNET News

My comments

An increasing trend that I have covered on this site and have noticed with equipment that I have reviewed is for the equipment to be updated with new firmware after it is sold to the customer.

Field-updating practices

Previously, this practice involved the device’s user using a regular computer as part of the update process. In a lot of cases, the user would download the update package to their computer and run a special program to deploy the update to the connected device. If the device, like a router, was connected via the network, the user uploaded the update package to the network-connected device via its management Web page or other network-file-transfer methods.

Now it is becoming more common for one to update the software in their device without the need to use a regular computer. This would be done using the setup options on the device’s control surface to check for and, if available, load newer firmware. 

It also includes the device automatically polling a server for new firmware updates and inviting the user to perform an update procedure or simply updating itself during off-hours for example; in a similar vein to the software-update mechanisms in Windows and MacOS.

As well, an increasing number of devices are becoming able to acquire new functionality through the use of “app stores” or the installation of add-on peripherals.

The HP lawsuit concerning printer firmware

Just last week, there has been a lawsuit filed against HP in San Jose District Court, California, USA concerning weaknesses in the firmware in some of their printers allowing for them to accept software of questionable origin. Issues that were raised were the ability to load modified software that could facilitate espionage or sabotage. This was discovered through lab-controlled experiments that were performed on some of the affected printers.

As all of us know, the firmware or apps are typically held on servers that can be easily compromised if one isn’t careful. This has been made more real with the recent Sony PlayStation Network break-ins, although data pertaining to users was stolen this time. But it could be feasible for a device to look for new firmware at a known server and find compromised software instead of the real thing.

They even raised the question not just about the software that is delivered and installed using a computer or network but the ability to install ROM or similar hardware chips in to the device to alter its functionality. I would also see this including the ability to pass in code through “debug” or “console” ports on these devices that are used to connect computers to the devices as part of the software-development process.

This could have implications as equipment like home appliances, HVAC / domestic-hot-water equipment and building security equipment become field-programmable and join the network all in the name of “smart energy” and building automation. Issues that can be raised include heaters, ovens or clothes dryers being allowed to run too hot and cause a fire or building alarm systems that betray security-critical information to the Social Web without the users knowing.

Further ramifications of this lawsuit

Device manufacturers will have to look at the firmware that governs their products in a similar vein to the software that runs regular and mobile computing equipment. This includes implementing authenticated software delivery, software rollback options and the requirement to keep customers in the loop about official software versions and change-logs (differences between software versions).

In some cases, business computing equipment like laser printers will have firmware delivered in a similar manner to how computer software is rolled out to regular computers in larger businesses. This includes software that enables centralised firmware deployment and the ability to implement trial-deployment scenarios when new firmware or add-on software is released.

Devices that have proper-operation requirements critical to data security or personnel / building safety and security may require highly-interactive firmware delivery augmented with digital-signature verification and direct software-update notification to the customer.

Similarly, security-software vendors may push for a system of integrating software solutions, including “edge-based” hardware firewall appliances in the process of software delivery to other devices.

Conclusion

What I would like to see out of this case if it is allowed to go “all the way” is that it becomes a platform where issues concerning the authenticity, veracity and safety of field-updatable firmware for specific-purpose devices are examined.

Article

Scareware slingers stumped by Google secure search • The Register

My Comments

Google has allowed users to perform a “Secure Search” option where their search-engine transactions are encrypted between the Google servers and their computer. This can be either facilitated through the user typing https://www.google.com or setting it as a default for their Google services account.

Obviously this feature is intended to provide a private secure-search sessions over open networks like Wi-Fi hotspots that are set up in the common open manner. But this also has a side benefit where destination Web sites don’t know what search terms are passed to them, thus making it harder to tune search search listings without the use of tools like Google Analytics.

The key obvious benefit is to stop the appearance of “poisoned” search listings that lead users to “scareware”. These are Trojan Horses which appear to be legitimate system utilities but are intended to separate the user from their money by spruiking horrendous system conditions to the user. Of course, I have had to deal with this menace by removing these programs from various friends’ computers.

The only limitation with this setup is that it only applies by default for people who are currently logged in to a Google service of some form like GMail. For users who share computers, they would have to start a Google-services session then head to the Google.com Website to start searching; or simply remember to type the https prefix. This can be achieved through the Google bookmark, favourite item or Intranet page hyperlink pointing to https://www.google.com .

At least this is another Web security item that offers more than is typically highlighted.

Another increasingly-popular social network service is Twitter. This was intended as a “microblogging” service but some people have been implementing it as another social network.

Like the similar Facebook article that I have written for Facebook novices, this will list who will see which information you post when you use Twitter. Here, I would recommend this as a bookmark or favourite or as something to print out and keep near the computer or have available on the business intranet.

Twitter lexicon

Who sees what

What to do where on Twitter

If someone follows you on your Twitter account, it may be a good idea to check that person out when you receive the notification by email. Here, you could then consider following that person and being able to use direct messaging as appropriately.

It is also worth noting that a lot of social Twitter users use “textspeak” (abbreviations and acronyms for common expressions used when sending SMS messages) when they send out Tweets. So you may have to use resources like the Urban Dictionary to help you understand some of this lingo.

Introduction

You might be considering setting up that complimentary hotspot for your guests to use but there are certain risks to be aware of concerning the security of your business and your guests’ data and identity.

Risks that have been highlighted include confidential-data and identity theft performed against customers as they work this data from their portable devices; as well as clandestine computer activity like the downloading or serving of illegal content; or the distribution of spam email, performed using computers connected to public Internet networks like wireless hotspots.

As well, there may be other imperatives required of people who provide Internet access to the public. These imperatives, asked for by various local, state / regional or national governments may include requirement like keeping a log of whom you provide Internet access to or requirement for session tracking. Therefore I am not therefore in a position to explain how to satisfy these needs and it is best to seek local advice on this topic.

Therefore, your business should know who is using the hotspot service and be able to make sure that the people who benefit are the business’s customers or guests. This means that the customers or guests are actually going to be operating the network device that they use when connecting to the service and also operate it on your premises. As well, your customers know that they are going to actually benefit from your hotspot service when they log in to this service.

The cafe or bar as a “second office”

This is more important for the cafe as an increasing number of businesspeople use these places as “second offices” where they can work without unnecessary office-borne distraction or as places where they meet their colleagues or business partners. Here, these people will be working on workplace-confidential data and most of these workplaces place high value on the security of this data as it travels between the laptop and the workplace’s main computer systems.

In fact, the reason I have decided to publish this article was because a cafe that I regularly visit in Camberwell (Melbourne, Australia) had just started to offer free public Wi-Fi access but I had wanted them to provide a free Wi-Fi service that is safe for their customers. Here, they had an ordinary wireless router as the Internet service but they needed help in getting this service working properly and safely. They also wanted to make sure that this resource was available just to their customers as part of their customer service.

Your equipment

When you start out with your complimentary-use hotspot service, you may use a wireless router hooked up to a separate Internet service or use one with a “guest-access” or hotspot function and is connected to your common Internet service.

This should be set up to cover your public area such as the bar areas in your bar or the dining room in your cafe. In some situations, you may need to use an additional access point to cover larger areas or get your signal past thick walls. This is something I have covered in this site as a separate article.

As well, if your equipment works on 802.11n technology, it should be set to work in compatibility mode where it can work with 802.11g and 802.11n devices. This is to cater for the fact that most devices that are in circulation, especially smartphones, are likely to work with 802.11g technology and people may operate battery-operated 802,11n-capable devices in 802.11g mode in order to conserve battery runtime. 

Your SSID or Network Name

The SSID or network name is very important to your hotspot’s identity. Here, it should reflect your business’s name and have a reference to public or guest Wi-Fi service. An example that I used for a basic complimentary-use Wi-Fi hotspot that I set up at a coffee lounge just recently was MORAVIA-PUBLIC-WIFI. Here this reflected the coffee lounge’s name (MORAVIA) as well as stating that the service was a public Wi-Fi hotspot service hosted by this business. Therefore, you can then identify any “evil-twin” or “fake-hotspot” devices left on or near the premises that exist to capture customers’ sensitive data.

This SSID must be used in all signage advertising your hotspot and the signage must reflect your company’s identity. This means that it either has your company logo and name or be in your company’s styling. In this case, the signage about the hotspot should at least exist beside the cash-register and the door, preferably at eye-level or near the main handle or pull.

Hotspot security

Basic security

Your hotspot network should be secured with a WPA-PSK passcode which your staff should give out to customers who want to use hotspot service. As well, the network should have wireless-client isolation enabled, so that customers who are using the hotspot cannot browse on to each others’ computers.

Previously, there wasn’t any wisdom in implementing link security on a public-use wireless network but now that most computers and handheld devices support WPA-based link security for wireless networks, adding this function to WPA-level is still worth it for achieving some control and security in a public-use wireless network.

It is still important to change the WPA-PSK passphrase regularly such as at least twice a month. Some environments may require the passphrase to the changed every week. This is so that it becomes hard to set up a “fake hotspot” using your service’s credentials or keep a computer logged in to the hotspot service without you knowing.

As well, your hotspot should properly support VPN pass-through for all protocols so that business users can log in to their workplace VPNs  without any headache.

Special hotspot-gateway devices

It may be worth knowing that if you want greater control over your public Internet service, it may be worth implementing a “docket-printer-based” wireless hotspot gateway like the Netcomm HS-1100, Solwise WAS-105R or Zyxel N4100.

Here, these devices direct users to a login page where they have to key in a session login and password that they transcribe from a paper docket that is printed from a docket printer attached to the hotspot gateway. If you intend to offer a paid service, these devices put you in a position to use the payment methods and paths that you use to accept payment for your goods and services.

This is unlike some other hotspot gateway setups that require the potential user to pay another company directly using their credit card or an account maintained by that other company using a payment form hosted by that hotspot. Typically, a lot of these setups are managed in a manner where you don’t have much control over how the service in provided and the service may be provided in a manner not dissimilar to how most vending and amusement machines are provided where you don’t own the equipment, representatives visit the premises to maintain the equipment and you get a small “cut” from the takings.

As well, the session login parameters that your users type in from these dockets exist only for a particular time limit. This is also important for people who run a paid service, but can be useful for managing complimentary service so you can be sure that the people who are using your service are your customers or guests who are in your public areas.

If you do run one of these dedicated hotspot gateway devices, such as a “docket-printer-based” device, the wireless network that these devices operate should still have WPA-PSK security with the passphrase changed regularly. The “docket-based” devices will list the WPA-PSK passphrase on that same docket so your customers can still log in to your hotspot from their device.

Branding options

If you do implement these devices, make sure that you know how to brand the customer-facing user interfaces.

Most of these devices can allow you to upload a graphic and integrate it in to the login interface or they can allow you to upload customised login screens or point to a Web server for the login interface graphics. The latter option may appeal to you if you have a good hand with creating basic HTML Web pages.

Here, make sure that you have your business name and logo and, if you can do it, set the colour scheme to your business’s colour scheme. As well, make sure that your business name appears on the access dockets that your hotspot gateway prints out.

Power outlets

With a hotspot, always expect that some of your customers will use the power outlets on your premises to power their laptops or smartphones from AC power to avoid compromising battery runtime. This is more so with customers are operating older equipment that has batteries that are “on their last legs” or are working VPN sessions in order to “pick up” files from work and want to be sure this is done properly.

Here, a few double outlets near the tables can work wonders here and if an outlet is used for powering a device like a lamp, the device could be connected to the outlet via a multi-socket power-board with extra outlet space for a few appliances.

Conclusion

Once you know how to choose and set up your public-use wireless network properly, you can make sure that this is a service that your customers and guests will benefit from fully. This may even put your business “on the map” as far as customer-service extras are concerned.

News Article

Phone scammers target computer owners | ABC News Australia

Alert over scam phone calls about bogus computer virus | Wolverhampton City Council (United Kingdom)

My Comments

Just today, a friend of mine who I live with received a phone call on our house phone saying that their computer is infected with a virus and she was being instructed to do certain procedures on the household computer. Luckily she told the caller to hang up and put the phone down and didn’t head towards the computer. This was very good for someone who hasn’t much familiarity with computer technology.

This is part of a scourge that is affecting home and small-business computer users and computer novices are more likely to be at risk of this fraud because they may not know the difference between a virus attack or a computer being very sluggish.

There has been some press coverage and coverage in government consumer-protection Websites and bulletins around the world concerning this topic, with a lot of weight placed on reference to the scammers claiming they represent Microsoft. But the scammers can pretend they represent other legitimate IT companies like antivirus software firms.

If you needed outside help regarding computer issues, you will most likely have initiated the contact yourself, whether through your computer-expert neighbour, relative, friend or acquaintance; your workplace’s IT support if your workplace has such a department or your computer supplier.

What these callers tend to do is to lead the user to download and install malware, usually in the form of spyware or fill in forms with email addresses and credit-card details in order to facilitate various forms of fraud against the user. This can be in the form of milking their bank account and credit-card of useable funds, inundating their email inbox with spam email or stealing other information that is confidential to them or their business operations.

So I would encourage all users to be careful of unfamiliar “call-centre” phone calls about computer viruses or similar issues and simply hang up when they receive these calls. As well, they should keep their desktop security programs on their computers up-to-date so as to protect against the various scams.

Other tactics that you may consider would be to threaten the scammers with legal action or question them about whether they can do business legally in your country. A good example would be asking them for their tax-registration details that are required of them if they do business in your country, such as the VAT registration details if you are in Europe or the Australian Business Number if you are in Australia.

Article

Mobile Users More Susceptible to Phishing Scams – www.enterprisemobiletoday.com

My comments

Why are mobile (smartphone and tablet-computer) users more susceptible to phishing scams?

The main reason is that the operating interface on the mobile computing devices is totally different to the operating environment on a desktop or laptop computer.

One main reason is that most of these devices don’t have a large display area in their Web browsers or email clients due to them having smaller display screens. This leads to the software designers designing a “clean and simple” user-interface for software pitched at these devices with minimal controls on the interface; which eliminates such concepts as fully-qualified email addresses and URLs. A lot of these devices even conceal the address bar where the user enters the URL of the page to be visited unless the user directly enters a URL that they intend to visit. Similarly, the email client only shows the display name for the incoming email, especially in the commonly-used “list-view”.

It is also augmented by the lack of a “B-option” interface in a mobile operating system. This is compared to what is accepted in a desktop operating environment with functions like right-clicking with a multi-button mouse or using Ctrl-Click on a single-button-mouse-equipped Macintosh to gain access to a context-sensitive secondary menu. Similarly, all scientific calculators used an [F] key and / or an [INV] key to modify the function of formula buttons either to gain access to the inverse of a formula or obtain another formula.

Such an option would allow the user to select a “function” button before selecting the option or displayed item in order to open a context-sensitive secondary-function menu or select a secondary function.

This discourages users from checking the URL they intend to click on in an email or the fully-qualified email address for an incoming email.

What could be done?

The Web browser and email client could support “phish detection” which could provide a highly-visible warning that one is heading to a “phishy” Web site or receiving a suspicious email. This function is just about provided in every desktop email client that most of us use but could be implemented in a mobile email client. Similarly, an email service could integrate filtering for phishy emails as part of its value-added spam-filter service.

There could even be the ability to have a “magnifying glass” touch button on the browser or email-client user interface which, when selected before you select an email address or URL, would show the fully-qualified email address or URL as a “pop-up”. This would have the domain name emphasised or written in a distinct colour so you know where you are going. This same interface could also be in place if one enters a URL directly in to their Web browser.

The mobile browsers could also support the Enhanced Validation SSL functionality through the use of a distinct graphic for the fully-validated sites. As well, a wireless-broadband provider or Wi-Fi hotspot could offer a “phish-verify” proxy service so that users can see a “red flag” if they attempt to visit a phishy Website similar to what happens in Internet Explorer when a user visits a suspicious Website.  This is similar to how some mobile providers warn that you are heading to a website that isn’t part of their “free-use” Website list and they could integrate this logic in to these proxy servers.

Conclusion

In general, the industry needs to look at the various user scenarios that are or are likely to be in place to improve secure Web browsing and email. Then they have to enable user-experience measure that can allow the user to verify the authenticity of Websites and emails.

This is more so as the small screens end handheld devices end up as the principal Web user interface for people who are on the move. It will also become more so as the “10-foot” TV interface, with its large screen with large text and graphics, D-pad navigation technique and use by relaxed and mostly-tired viewers relaxing on comfortable furniture becomes a mainstream “lounge-room” interface for the Web.

News article

Microsoft Security Essentials available to Small Businesses on October 7

My comments

Microsoft have an entry-level antimalware program called Security Essentials which was previously available free to home users and students. This required all business users to consider using their premium Forefront Security Suite or other competing desktop security software solutions for their computer security.

This put small businesses and organisations lie shops, medical practices, religious organisations, non-profits and the like who had a few computers on their network in a very difficult position especially when it came to easy-to-manage desktop security software, Now Microsoft have answered this need by varying the End User License Agreement for this program to allow small business users with up to 10 computers to run this program.

One of the reasons that I am pleased with this change is that it is easy for the owner of a small organisation (who is responsible for that organisation’s IT) to set up and manage desktop security on Windows-based computers with this easy-to-manage program. It works in conjunction with Windows Firewall and has very little that is needed to adjust, which will please most of this kind of user who may not have good computer skills.

This therefore may be a way for a small shop or similar operation with a few Windows computers to save money on their desktop security software. One improvement I would like to see is for Apple MacOS users to benefit from a free desktop-security program because as this platform becomes popular, malware writers will target it.

Mobile codes to boost Google account security | Security – CNET News

My comments

Google have worked on a way of improving security for Web-page login experiences because these login experiences are easily vulnerable to phishing attacks.

What is this technology

This method is similar to a hardware security “token” used by some big businesses for data security and increasingly by some banks to protect their customers’ Internet-banking accounts against phising attacks. This is a device that you keep with you in your wallet or on your keyring which shows a random number that you key in to a login screen alongside your user name and password and is based on “what you have” as well as “what you know”.

This time, the function of this “token” is moved to the mobile phone which nearly all of us have on ourselves. It will appear as a smartphone “app” for the Blackberry, Android or iPhone platforms that shows the random code number or will operate in the form of your phone showing an SMS with the token code or you hearing a code number from a call you answer on that phone. Of course, you will register your mobile number with Google to enable this level of security.

The direction for the technology

Google are intending to use it with their application platform which covers GMail, Adsense, Analytics, Picasa and other Google services. Initially it will be tried with selected user groups but will be available to the entire user base.

They will provide an option to avoid the need to use this “Google codes” system on the same computer for a month, which would appeal to users who work with their GMail account from their netbook or desktop PC. They will still need to have this work if they “come in” to their GMail account from another computer and it will work if someone else uses the same PC to check on their GMail.

What I am pleased about with this is that they intend to “open-source” this system so that it can be implemented in to other platforms and applications. Similarly, the “apps” can then be ported to newer smartphone platforms or “baked in” to other PDAs and similar devices. As far as the “apps” are concerned, I would like to allow one piece of code to service multiple service providers rather than loading a smartphone with multiple apps for different providers.

Making the home network secure

I would like to see this technology being tried out as a method of securing devices that use Web-based data-access or management interfaces, similar to D-Link’s use of CAPTCHA for securing their home-network routers’ management login interfaces. This is becoming more so as nearly every home uses a wireless network router as the network-Internet “edge” for their networks. Similarly, there is an increasing tendency to use a network-attached storage for pooling data to be available across the network or as backup storage and most of these units use a Web-based user interface.

Conclusion

One feature that I like about this Google project is that they have applied a security technology normally available to big business and made it available to small business and consumer users.

Articles

Intel acquires McAfee for $7.68 billion – Engadget

My comments

Most of the laptops that I have reviewed on this blog came with a trial edition of a McAfee desktop-security program. Similarly, there are some people who have cottoned on to a McAfee desktop-security solution of some form, either by taking out a full subscription to a trial program that came with their new computer, used a business-supplied program or, for long-time computer hobbyists and students, ran the shareware program on their DOS-based PCs to keep the likes of “Ping Pong” or “Stoned” off their hard disks.

This program, one of the “old dogs” of PC virus control and desktop security, has served many users very well but some users would find that Intel owning McAfee may change the course of the McAfee product lineup either to make it more cheaper or costlier. It could also be a chance to make for a “vertical” desktop-security package directed at a particular user group or, as I would hope for, prepare a competitive antivirus program for the Apple Macintosh platform. This is because as more people take to the Macintosh platform, the “computer underworld” could work on that platform and create malware for it.

A good question to ask is whether McAfee, being profitable, was simply bought out by Intel or whether McAfee was posting a loss and Intel offered to buy out the software company to offset the losses. The latter situation may be brought about by the arrival of the free desktop antivirus programs offered by AVG, Avira, Avast and Microsoft; and the fact that Microsoft is providing a highly-competent desktop firewall program that is baked in to the Windows Vista and 7 operating systems.

Who knows what could be the direction for premium desktop security programs, especially for the Windows platforms.

 Articles

Scareware Indictments Put Cybercriminals on Notice – Microsoft On The Issues

Swede charged in US over ‘scareware’ scheme | The Local (Sweden’s News in English) – Sweden

US-Behörden klagen Scareware-Betrüger an | Der Standard (Austria – German language)

From the horse’s mouth

FBI Press release

My comments

What is scareware

Scareware is a form of malware that presents itself as desktop security software. Typically this software uses a lot of emphasis on “flashing-up” of user-interface dialogs that mimic known desktop security programs, whether as add-on programs or functions that are integral to the operating system. They also put up dialogs requiring you to “register” or “activate” the software in a similar manner to most respected programs. This usually leads you to Web sites that require you to enter your credit-card number to pay for the program.

In reality, they are simply another form of Trojan Horse that is in a similar manner to the easy-to-write “fake login screen” Trojans that computer hackers have created in order to capture an administrator’s high-privilege login credentials. Some of the scareware is even written to take over the computer user’s interactive session, usually with processes that start when the computer starts, so as to “ring-fence” the user from vital system-control utilities like Task Manager, Control Panel or command-line options. In some cases, they also stop any executable files from running unless it is one of a narrow list of approved executable files. They are also known to nobble regular desktop anti-malware programs so that they don’t interfere with their nefarious activities. This behaviour outlined here is from observations that I had made over the last few weeks when I was trying to get a teenager’s computer that was infested with “scareware” back to normal operation.

Who ends up with this scareware on their computer

Typically the kind of user who will end up with such software on their computer would be consumers and small-business operators who are computer-naive or computer-illiterate and are most likely to respond to banner ads hawking “free anti-virus software”. They may not know which free consumer-grade anti-virus programs exist for their computing environment. In a similar context, they may have found their computer is operating below par and they have often heard advice that their computer is infested with viruses.

What you should do to avoid scareware and how should you handle an infestation

The proper steps to take to avoid your computer being infested with scareware is to make sure you are using reputable desktop security software on your computer. If you are strapped for cash, you should consider using AVG, Avast, Avira or Microsoft Security Essentials which have the links in the links column on the right of your screen when reading this article on the site.

If you have a computer that is already infected with this menace, it is a good idea to use another computer, whether on your home network or at your workplace, to download a “process-kill” utility like rkill.com to a USB memory key or CD-R and run this on the infected computer immediately after you log in. It may alos be worth visiting the “Bleeping Computer” resource site for further information regarding removing that particular scareware threat that is affecting your computer. This is because I have had very good experience with this site as a resource when I handled a computer that was infested with scareware.

If you are at a large workplace with a system administrator, ask them to prepare a “rescue CD” with the utilities from the “bleeping-computer” Web site or provide a link or “safe-site” option on your work-home laptop to this site so you can use this computer as a “reference” unit for finding out how to remove scareware from a computer on your home network.

How the criminal law fits in to this equation

The criminal law is now being used to target the “scareware” epidemic through the use of charges centred around fraud or deception. Like other criminal cases involving the online world, the situation will touch on legal situations where the offenders are resident in one or more differing countries and the victims are in the same or different other countries at the time of the offence.

This case could raise questions concerning different standards of proof concerning trans-national criminal offences as well as the point of trial for any such offences. 

Conclusion

Once you know what the “scareware” menace is, you are able to know that criminal-law measures are being used to tackle it and that you can recognise these threats and handle an infestation.

Disclaimer regarding ongoing criminal cases

This article pertains to an ongoing criminal-law action that is likely to go to trial. Nothing in this article is written to infer guilt on the accused parties who are innocent until proven guilty beyond reasonable doubt in a court of law. All comments are based either on previously-published material or my personal observations relevant to the facts commonly known.