Geek News: Latest Technology, Product Reviews, Gadgets and Tech Podcast News for Geeks


Tag: Security

Kwikset adds Remote Unlocking to Kevo at CES

Posted by Andrew at 5:59 PM on January 8, 2014

Kwikset KevoThe Kwikset Kevo is a deadbolt lock that uses Bluetooth communication as well as a physical key to lock and unlock doors. Currently it only works with Apple iPhones but it looks really cool. You walk up to the door, touch the Kevo lock, the lock checks your eKey on your phone and the door opens. There’s a whole host of clever features based around eKeys which can be transferred to people you trust and owners can receive notifications of when the lock is opened. The glossy video below shows the main features of the Kevo.

The Kevo has been available for a few months and at CES, Kwikset are responding to customer feedback with new enhancements to the Kevo lock system. The Kevo Bluetooth Gateway will be available in the summer and the unit will allow owners to remotely lock and unlock Kevo using their smartphone, say when a relative visits from out of town or a neighbour unexpectedly needs to feed pets.

Kwikset is quickly expanding the value Kevo delivers to current and future owners through a series of Kevo technology advancements, beginning with remote functionality, based on the desires of today’s consumer” said Keith Brandon, director, residential access solutions. “Kevo continues to be the breakthrough smart lock technology on the market, gaining recognition from the CES Innovation Awards, among many others.

As you might expect, the Kevo locks don’t come cheap at around US$220 but it looks like a neat solution and once Kwikset (a) get it working on Android and (b) produce a UK version, I might well be interested.

Two Million Passwords Stolen by Hackers

Posted by JenThorpe at 6:36 PM on December 4, 2013

Trustwave logoOn November 24, 2013, researchers at Trustwave discovered that hackers have obtained up to 2 million passwords for websites like Facebook, Google, Yahoo!, Twitter (and others). Researchers learned this after digging into source code from Pony bonnet. It appears that information about this has only been made public very recently.

Here’s some quick stats about some of the domains from which the passwords were stolen:

* Facebook – 318,121 (or 57%)
* Yahoo! – 60,000
* Google Accounts – 54,437
* Twitter – 21,708
* Google.com – 16,095
* LinkedIn – 8,490
* ADP (a payroll provider) – 7,978

In total, Pony botnet stole credentials for: 1.58 million websites, 320,000 email accounts, 41,000 FTB accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

According to Trustwave, around 16,000 accounts used the password “123456”, 2,221 used “password” and 1,991 used “admin”. Now is a good time to go change your passwords into something strong and secure.

Doing so won’t make it entirely impossible for hackers to crack it, but it could make it more difficult. Trustwave noted that only 5% of the 2 million passwords that were stolen had excellent passwords (meaning the passwords had all four character types and were longer than 8 characters).

AVG Android Social Apps

Posted by Andrew at 11:05 AM on November 12, 2013

AVG LogoToday’s Android apps from AVG are aimed at social media users rather than performance junkies whose needs were covered yesterday. AVG has two apps in this space, Image Shrink & Share, and Privacy Fix. Very different apps themselves but both are worth a look..

AVG Image Shrink & Share works on the premise that the average smartphone camera takes photographs which are unnecessarily large for social media purposes. Most people can’t be bothered to downsize the photos and risk incurring bandwidth charges by uploading the large photos anyway. Image Shrink & Share solves this problem by resizing photos on the fly before passing them onto the relevant social networking app. The original photo is not affected and stays on your phone or tablet.

Here’s how it works. Let’s say you want to share a photo on Facebook. You review the photo in Gallery or Photos as normal. Hit the share icon and choose AVG Image Shrinker instead of the app you would normally use (it’s on the left in the screen shot which is from the new Photos app which has a different layout and background).

AVG Shrink & Share Apps Onward Sharing Apps

Then you are prompted for the final app that you want to use to post the photo, say, Facebook or Google+. Image Shrink & Share resizes the photo based on your default selection and then passes it on to the social media app (or other app) for comment and posting.

You can setup the default size for each application individually in the Settings menu. If you turn an app off, it doesn’t show in the second list presented by Shrink & Share, so it’s a useful way to declutter your sharing screen as well.

Social Media App wpid-Screenshot_2013-11-11-18-53-01.png

In practice, I found that it worked very well and solves the problem very neatly. Images resized correctly and looked good. If I had one suggestion, it would be to have a native resolution option on the resize settings so that photos can be passed through without alteration. I know that it’s not strictly necessary as I can simply choose to share directly to the app, but it makes the process consistent.

Overall, if you post lots of photographs to social media sites, this is a must-have app. Personally I’ve found it handy for uploading images to WordPress as it has a 2 MB limit on photos, so AVG’s tool gets round that problem for me.

Moving on, AVG PrivacyFix is less about sharing and more about controlling your exposure on Facebook and Google+. It’s a complementary app to the PrivacyFix website which covers LinkedIn too, but the app currently only looks at Facebook and Google+. It’s simply a case of giving the app access to your accounts after which PrivacyFix will make some comments and recommendations.

PrivacyFix Start

Here are the recommendations PrivacyFix gave me for Facebook and Google+.

PrivacyFix Facebook PrivacyFix Google+

You can tap through each and PrivacyFix will give you some information on the impact of changing the option and if you wish to proceed, show you what was done. Here’s some info on turning off Search History and then the output from opting out of ad tracking.

PrivacyFix Implications PrivacyFix Ad Tracking

AVG PrivacyFix is another great app. It’s certainly not one that you are going to use everyday, but it’s definitely worth running every month or so to check that your exposure on social media is at an acceptable level. Clearly you can use the PrivacyFix website to cover LinkedIn, but I hope AVG extend the Android app to cover LinkedIn and perhaps others such as Twitter, Flickr, Instagram, etc. I also think that this would be a great tool for parents to check the privacy settings on their children’s accounts and that’s a feature that AVG ought to promote directly within the app and website.

Both Shrink & Share and PrivacyFix are free apps, so go ahead, download them from Google Play and try them out.

Unprotecting Excel Spreadsheets Without The Password

Posted by Andrew at 12:21 PM on November 10, 2013

Microsoft Excel LogoSpreadsheets and Microsoft Excel in particular are great tools for any kind of numerical analysis, but they’re good for handling and storing other data as well. I seem to recall a survey a few years ago that Excel was the #1 database in the world with Access, Oracle and SQL Server lagging very far behind. Of course, it all depends on your definition of a database but the point is made.

Excel has useful features for developing forms and hiding information so that it’s easy to create mini apps which take user entered information, combine with data stored in the spreadsheet and provide an answer. Some of the spreadsheets are very sophisticated and Excel offers a “protect” feature that locks down a sheet (or workbooks) and prevents unwanted meddling or fiddling with the data. The protect feature even lets the owner set a password so that the more determined meddler can be thwarted and confidential data kept confidential.

Except it doesn’t. Any protected Excel spreadsheet can be unprotected in three steps. Here’s how.

With the Excel spreadsheet open,

  1. Press Alt + F11 (or go to View Code in the Developer’s Tab)
  2. In the window that appears, paste in this code (courtesy of University of Wisconsin-Green Bay)
    Sub PasswordBreaker()
        'Breaks worksheet password protection.
        Dim i As Integer, j As Integer, k As Integer
        Dim l As Integer, m As Integer, n As Integer
        Dim i1 As Integer, i2 As Integer, i3 As Integer
        Dim i4 As Integer, i5 As Integer, i6 As Integer
        On Error Resume Next
        For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
        For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
        For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
        For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
        ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
            Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
            Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
        If ActiveSheet.ProtectContents = False Then
            MsgBox "One usable password is " & Chr(i) & Chr(j) & _
                Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
                Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
             Exit Sub
        End If
        Next: Next: Next: Next: Next: Next
        Next: Next: Next: Next: Next: Next
    End Sub
  3. Press F5 (or click Run) and wait a minute or so…..hey presto, spreadsheet unprotected.

On my modest PC it takes about 80 seconds to crack the password and it seems to come up with a password such as AABBAAABBB^ which isn’t the original password but nevertheless works. Spreadsheet is now unprotected. Try it for yourself.

Shocked? Surprised? Worried about a .xls that you sent last week with confidential data in it? I’m sure lots of people would be very worried if they knew how easy it was to unprotect a sheet.

To be fair to Microsoft, the help page says, “IMPORTANT  Worksheet and workbook element protection should not be confused with workbook-level password security. Element protection cannot protect a workbook from users who have malicious intent. For optimal security, you should help protect your whole workbook file by using a password.” Personally, I think setting a password sets unrealistic expectations about the level of protection; in some ways it would be better if there was no password option as there would be no expectation.

Overall, it’s best to think of protecting an Excel spreadsheet as a way of making the spreadsheet more convenient to use and don’t ever think of protecting an Excel spreadsheet as a way to hide secret information.

If you thought the Adobe hack was bad, you should see the user data

Posted by Alan at 11:57 AM on November 9, 2013

Computer securityBy now you have likely heard of the attack on Adobe — the one that seemed to grow worse with each new bit of information. What started out sounding like a problem quickly deteriorated into disaster. Originally said to affect some three million customers, the number swelled to 38,000,000 and finally landed at 150,000,000.

But there were bigger concerns than just just that — security firm Sophos analyzed the compromised data and released a case study of its findings. The results are staggering, in terms of what it revealed about the average computer user.

Sophos lodged an almost immediate complaint regarding the situation — “One of our complaints was that Adobe said that it had lost encrypted passwords, when we thought the company ought to have said that it had lost hashed and salted passwords”, the security firm states in the report.

Then the data analysis begins. The number one password, used by 1.9 million customers, was “123456″, while “password” followed in second place. Appearing at the 25th slot on that list was “LetMeIn”. You can’t make this stuff up, folks. One user’s password hint read “try: qwerty123″, while another user cryptically stated his hint as “rhymes with assword”. The sad list goes on.

Sophos points out that “With very little effort, we have already recovered an awful lot of information about the breached passwords, including: identifying the top five passwords precisely, plus the 2.75% of users who chose them; and determining the exact password length of nearly one third of the database”.

Image Credit: Bigstock

Microsoft retreats: tells customers to get third-party AV software

Posted by Alan at 4:40 PM on October 7, 2013

When Microsoft released its Security Essentials software the company claimed it was all the end-user really needed and, for a time, that was mostly right. But the software suite has not entirely been kept up, and is not compatible with Windows 8, though in that OS, it was still present in the background under the name Windows Defender.

Now the Redmond company has officially given up it seems, as in a recent interview it referred to Defender as “baseline software” and claimed that it would “always be on the bottom” of comparison tests — this after failing multiple ones.

Microsoft Windows 8

Now Microsoft claims to be using Defender, which still comes as part of the OS in Windows 8.1, as more of a research tool. “The company is just sharing its virus tracking findings with the security industry so they can develop better anti-virus programs”.

This is not to say that WD will not continue to be updated every patch Tuesday — it will be. However, the software maker is now recommending users supplement the program with a third-part app.

Several good ones are available, both free and paid, but for the average user,  it’s back to square one, as many do not know that they need such a thing, forget to update it even if they have it or just don’t know enough to stay out of trouble. For the tech-savvy, this is likely not a big deal, as many never used AV before anyway.

Battle.net Adds New SMS Protect Service

Posted by JenThorpe at 3:19 PM on October 3, 2013

Battlenet logoGamers who play any of the games by Blizzard Entertainment may want to check this out. Battle.net has introduced a new way to protect your account from hackers. The new service is called SMS Protect. If you currently have your account protected by an authenticator, it is possible that you received an email from Battle.net about this.

It will send a text message to your cell phone every time suspicious activity is detected on your account. You will also get a text if your account is flagged for suspicious login activity, if your password has been changed, or if account security features are added or removed.

In other words, if something nefarious appears to be happing to your account, you won’t have to wait until you get home, and try to log in, to find out about it. You can get a text message about it, while you are away from your computer. All you need is a standard cell phone with a data plan. You also need to be in one of the countries that is currently supported by SMS Protect.

The sooner you know something has gone wrong, the sooner you can try to fix it. If you want to get texts, you have to log into your Battle.net account and enable the texts. (The “default” mode has the texts turned off).

Those of you who play World of Warcraft, Diablo III, or Starcraft hopefully are already using an authenticator to protect your account. The key-fob authenticators are still useful, and so are the mobile authenticators for iPhone, Android and Blackberry. Those will still function as intended. You are not required to change over to the SMS Protect service if you do not want to. SMS Protect is simply one more tool to use to protect your characters and loot from hackers.

Who Can Access Your Dropbox Folders?

Posted by JenThorpe at 3:52 PM on September 10, 2013

folder iconA lot of people use Dropbox as a convenient way to transfer large files from one person’s computer to another. I find it to be extremely helpful for podcasters who need to send an audio file of their voice track to an editor who puts everything together. Today, I learned something rather unexpected about who, exactly, can see the files that are in my Dropbox.

My husband and I are both podcasters. We have a podcast that we do together. I do a couple of other podcasts without him. He edits some of the podcasts that I do and some podcasts that I am not a part of. As such, both of us use Dropbox to move audio files around.

The computer I use, and the one that my husband uses, are on a home network. He has admin level access to my computer. We find this to be helpful for many reasons – one being that it makes it easier for him to grab the audio file of my voice track for a podcast that he will be editing. Obviously, he and I are both aware that his admin status means that he can access anything on my computer.

It turns out that the admin status also allows him to access my Dropbox. He discovered today that he can use his admin status to gain access to my computer and that it also allowed him to access my Dropbox. He was able to open folders, look at the contents, and remove files.

Now, some of the folders that I have been invited to are the same ones that he has been invited to. For example, today he was editing a podcast that I am involved with. He and I already had access to that particular folder. He could access that one from his own computer.

Surprisingly, he was also able to access folders that he had never been invited to. There is a podcast that I do with a friend of mine. That friend does the editing. My husband has no need to be invited to that particular folder. Even so, my husband was able to open that folder, look at the contents and remove files. He could have put files into that folder if he chose to do so.

Typically, people are very careful about who they allow to access their computer. Admin status should never be given out on a whim. We only give that to people we trust. Before this little experiment, I had no idea that giving a person admin status to your computer also gave that person complete access to your Dropbox.

For me and my husband, this isn’t really an issue. We trust each other. Our network is at home and secure. That being said, it made us both wonder about the potential risks involved with work computers that are accessible by multiple people within one company or business.

Washington Post admits website hack

Posted by Alan at 8:46 AM on August 16, 2013

bigstock-Computer-Hacker-in-suit-and-ti-31750772

Amazon’s Jeff Bezos just purchased the Washington Post — and despite jokes, I am pretty sure he didn’t do it by accidentally clicking the “Buy it Now” button. Plans at this point are unknown, but one thing is certain — there are already problems to deal with. The newspaper has admitted that its web site was recently hacked.

The announcement came in two parts yesterday. The first red simply that “the Washington Post Web site was hacked today, with readers on certain stories being redirected to the site of the Syrian Electronic Army. The group is a hacker collective that supports Syrian President Bashar al-Assad”.

An hour later the organization updated this with additional information — “Washington Post Managing Editor Emilio Garcia-Ruiz: ‘A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. For 30 minutes this morning, some articles on our web site were redirected to the Syrian Electronic Army’s site. The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain. We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site’”.

Welcome to the newspaper industry Mr. Bezos. This is something not experienced at Amazon, but when you run a publication that can post stories on subjects that could be considered politically charged, then things change. Everyone may want to buy a new book or laptop, but not all wish to read opposing views.

Image Credit: BigStockPhoto

Apple Developer Website is Down

Posted by JenThorpe at 9:52 PM on July 21, 2013

Apple Developer LogoIt is never a good sign when you visit a website and see “We’ll be back soon” at the top of the page. Sometimes, it can mean that the site is going through normally scheduled maintenance and truly will be back online in a little while. Not so with the Apple Developer website!

To clarify, the website (at the time I am writing this blog) actually does say “We’ll be back soon”. It also says that it was taken down on Thursday, July 18, 2013. When will it return? At the moment, that is unknown. The situation is undoubtedly causing frustration for developers who need to access the website.

Here are some key points of the message that currently sits on the Apple Developer website:

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email address may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

It goes on to say that they are going to be completely overhauling their developer systems, including updating their server software and rebuilding the entire database. If you are a developer who needs that website, all you can do is be patient and wait for the overhauling to be completed.

On the positive side of things, Apple says that if you are a developer, and your program membership was set to expire while this overhaul is happening, not to worry. They will extend your membership and your app will remain on the App Store.