Tag Archives: Security

WhatsApp Supermarket Phishing Scam



There’s a WhatsApp phishing scam doing the rounds here in the UK based on free gift vouchers from big supermarket retailers. It’s doing well because (a) people are receiving the links from friends and (b) they’re disguising the false links with foreign letters.

Here’s two that I received in the last few days.

 

Check the subtle dot over the c of Tesco and the line on the d of Asda. They got my scam senses tingling but many people seem to have fallen for it based on the couple of messages I received. Apparently there’s a variant for Aldi too.

If you do follow the links (and I recommend you don’t), the first part asks for more friends to pass on the message to, and the next bit starts collecting personal info so they can send out the vouchers. Yeah, right. Fortunately, friends I’ve spoken to became more suspicious on the second section and dropped out.

This scam can easily be moved to other retailers in other countries so watch out for it, though the basic scam has been around for awhile. It’s the use of special characters that seems to be new. I imagine that they can be creative with other letters in addition to c and d. More at the BBC.


Stay Safer with 2FA and a YubiKey



In the past couple of weeks I’ve received three notifications from haveibeenpwnd informing me that a couple of organisations didn’t do a good enough job keeping my info secure. While it’s always going to be a good idea to change your login and password, any sites that use 2FA significantly reduce the value of stolen credentials (as long as you’ve signed up for the 2FA option!)

What’s 2FA? Two Factor Authentication. Still not clear? Maybe you’ve used a web site that’s texted your phone with an extra number or code that needs typed in before you are let in to your account. That number is a “second factor” and you’re using 2FA to get into the web site. Excellent choice. 2FA is good because it means that even if ne’er-do-wells steal your details from a sloppy site, they don’t have access to your phone, so they can’t get any further. However, SMS authentication is not perfect – there are some vulnerabilities typically using “man in the middle” attacks.

If you want to take your online authentication to the next level, you might want to consider a physical security key for your second factor. This isn’t a key like you’d use in a lock, but a USB key that doesn’t look too dissimilar to a memory stick. A good example is Yubico‘s YubiKey 4 series range, which supports a wide range of protocols including “FIDO U2F, smart card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response” and can be used with many of the big names like Google, Facebook and Dropbox. The keys can be used for authentication when logging onto PCs too (depending on OS, version etc.)

As an end user, you don’t need to know all the technical stuff, only that it’s a very safe way of authentication and it’s simple to use. To get started, you first associate the security key with your account, and the next time you try to logon to the service, you’ll be prompted to insert the security key into a USB slot (or swipe for NFC keys). You can use one key for multiple sites.

Yubico provides YubiKeys for different use cases. There’s the standard YubiKey 4 which is designed to go on a keyring (keychain) and works with USB A. The YubiKey 4C  also goes on a keyring but works with USB C. The 4 Nano and 4C Nano are smaller and are intended for semi-permanent installation in USB A and C sockets respectively. For NFC applications, such as suitably-equipped smartphones, there’s the YubiKey NEO. Physically, the keys are tough. Allegedly, they can go through the washing machine and get run over by a car, though I didn’t try any of these.

Here I have a YubiKey 4 and 4 Nano (shown left) and they both work in the same way – the only difference is the size and what you touch to activate the key. Let’s take a look at getting Google setup with a YubiKey.

Login to your Google account, say via Gmail. Click up on the top right where your “headshot” is and then click again on “My Account”.

Head on into “Signing in to Google”. I’ve blanked out a few sensitive items.

2-Step Verification is what you want. Hopefully, you’ve already got this turned on but if not, go ahead and get this sorted out. This page shows the factors you can use for 2FA. Security keys are topmost with text messages and backup codes below (not shown).

Click on “Add Security Key”.

Get the YubiKey ready and insert when instructed. Hit Next.

On the YubiKey 4, the “Y” logo on the key will flash – tap with your finger to confirm. On the Nano, tap inwards on the end of the key. Once the YubiKey has registered, you can give it a name.

And that’s it – all set and ready to go. The next time you login to Google on a computer that you haven’t used before you’ll be prompted to insert your YubiKey to prove who you are. Super secure!

Other services are similar. Here’s part of the Dropbox procedure.

And Facebook…

Supported sites are listed here and you’ll recognise a good few of the names.

If you can see the benefits of secure 2FA, the YubiKeys can be purchased from the Yubico online store. The YubiKey 4 is US$40 and the 4 Nano is US$50, with similar prices in GB£ from amazon.co.uk.

The 4 series can do a whole lot more, and if you just want the basics, then a YubiKey 3 at only US$18 is a good start. I personally bought one of these awhile ago to secure my Google account.

Thanks to Yubico for providing the YubiKeys for review.


Keep Prying Eyes Away with the InvizBox 2



Perhaps I’m just old and suspicious, but I’m increasingly concerned about the personal information that I give away to companies like Google and Facebook for their services. I’ve had enough of being the product. As for the information gathered surreptitiously by third parties, such as ISPs and government agencies, I’ve had enough of snooping and I don’t accept that if I’ve nothing to fear, I’ve nothing to hide. It’s simply none of their business.

Consequently, I’m working on a couple of strategies to mitigate my exposure, including some fake personas for simple things like compulsory registrations. While I’m not a social media superstar, I’m present on most social media platforms and it’ll take time to balance out the public and private. Fortunately in the UK, it’s not illegal to take a new identity unless the intention is criminal (so I’m told).

On a more practical side, I’ve already signed up for protonmail.com to secure my email correspondence and I’m going to move away from the big name providers in a gradual process. The other area of interest is VPNs and for those who aren’t in the know, a VPN is a Virtual Private Network. It hides your activity from the owner or maintainer of any local network connection – think of it as an opaque pipe within a transparent tube – so it’s good for protecting against both nosy ISPs wanting to sell your browsing history, and defending against nefarious activity on public wifi hotspots.

I’ve been tinkering with some of the software-based VPNs both for both mobile and home use as my ISP provided-modem/router doesn’t have any VPN capability. Software solutions are fine if you have one or two devices, but when you’ve umpteen tablets and laptops in the house, it’s a pain.

An alternative is a dedicated VPN hardware solution and this Kickstarter campaign from InvizBox caught my eye. Simply, the InvizBox 2 is a wireless access point that connects to your home router, and then encrypts all the traffic over a VPN (or the Tor network). There’s no need for individual configuration as everything that connects to the access point benefits from the VPN. Your local ISP is then completely unable to track your activities and sell them on. Even better, the ISP can’t throttle your traffic based on type of use, or use of competing services.

Obviously these are benefits enjoyed by all VPNs, but as a neat hardware package, the InvizBox 2 looks attractive. Other features on the InvizBox 2 include ad blocking and parental controls. The latter is useful as the VPN will bypass any controls implemented on your router or by your ISP, so you might need to defend against inquisitive teens. You can get round geo-blocking too – that’s where you can’t see some content because you are visiting from the wrong country. As with most VPNs, a regular subscription is required (allow around US$5 / €5 per month) but there are some deals there too.

The standard InvizBox 2 is currently at €109 and the Pro is €149 if you get in quick, both with a year of VPN service. Other deals are available and delivery is expected in April next year. The team has already hit their goal of €50,000 and there’s still a week to go, so the project is going to be funded. As background, the InvizBox team are based in Dublin, Ireland and have a track record of delivery from previous Kickstarters, so there’s a good level of confidence. However, as with all Kickstarter campaigns, consider yourself a patron rather than a customer until the product is in your hands.

I might actually plonk down some cash for this….


Macate Genio Coming To UK



US multinational Macate are coming to the UK with the intention of launching their secure smartphone here later in the year. Setting up in Kensington, London, the Genio smartphone is a mid-range Android device with an emphasis on security.

The bare specs are a 5″ HD screen driven by a 1.3 GHz quad core processor with 2GB RAM and 16GB storage, though this can be expanded with a microSD card. The Genio has two cameras: a 13 MP rear camera and a 5 MP front selfie shooter. For lovers of stock Android, it’ll run Nougat 7 out of the box.

The Genio is encrypted as standard (AES256) and comes with secure messaging app NetMe from Macate’s software development team Codetel. The NetMe supports all the usual features of text, audio and video messaging and attachment sharing. They’ve also an encrypting email app too which I imagine will be pre-installed too.

The new UK team will be headed up by Darren Gillan, previously of Vertu, and he said, “We’re excited to be adding a UK base to our growing global network. Mobile security is a big issue for many consumers; they need a device that operates seamlessly but also securely. At Macate we’re dedicated to the development of cybersecurity and we’re delighted to be bringing that expertise to the UK mobile market in the form of Genio.”

Once on sale, the Genio will come in four colours, white, light golden, black and (pink) champagne, and will retail for £249. Obviously at this stage it’s hard to tell what the phone will be like, but hopefully we will get more details closer to the launch.


Bitdefender BOX Protects the Smart Home at CES



With the arrival of the Internet of Things, installing antivirus software on a PC isn’t going address malware lurking on a smart home control unit. A different approach is needed and Bitdefender’s BOX might be the solution. Dan talks to Todd about what Box offers over traditional security products.

The Bitdefender Box is a small hardware device which is connected into a free port on the main router – it’s similar in size to the control units for SmartThings or Hue. Once configured via Bitdefender’s Central Account or the companion smartphone app, it monitors the network traffic for suspicious activity. Box provides several layers of security over and above standard antivirus with everything from URL filtering to anomaly detection.

Bitdefender Box is available now for US$129 in the first year, with an annual subscription of $99. The next gen Box is expected in the summer, priced at $199. Box is currently only available in the USA.

Todd Cochrane is the host of the twice-weekly Geek News Central Podcast at GeekNewsCentral.com.

Become a GNC Insider today!

Support my CES 2017 Sponsor:
30% off on New GoDaddy Orders cjcgnc30
$.99 for a New or Transferred .com cjcgnc99 @ GoDaddy.com
$1.00 / mo Economy Hosting with a free domain. Promo Code: cjcgnc1hs
$1.00 / mo Managed WordPress Hosting with free Domain. Promo Code: cjcgncwp1
Proximity Beacons for Android Course.



Adieu Yahoo!



Dear Yahoo,

I’m sorry but I’m breaking up with you, and I’m afraid that it’s you, not me. We’ve been together for over ten years, from the early days of Flickr and Yahoo Groups, but you’ve hurt my feelings twice now and I think you’ve been cheating on me. It’s been fun but it’s not going to work out. There’s no longer any trust between us.

I’ll get my stuff out of your properties and return the keys as soon as I can. Goodbyee!

P.S. If anyone else wants to break up with Yahoo!, here’s the link https://edit.yahoo.com/config/delete_user.


Bold Euro Cylinder Smart Lock on Kickstarter



Bold LogoSmart locks have been gradually appearing on the US market over the past few years, with the Kevo Kwikset being one of the more popular. Over on the European side of the pond, it’s taken a little longer for smart locks to appear but they’re beginning to come onto the market from both established vendors and start-ups. Locks in UK and mainland Europe use different styles and standards from the USA so it’s not simply a case of rebranding an existing product.

Yale announced their entry into the market earlier in the year and you might have listened to my interview with them at this year’s Gadget Show Live. While beauty is in the eye of the beholder, some of the early smart locks have left a great deal to be desired aesthetically, with boxy designs  and limited colour choices. Black anyone?

Fortunately, there are some smart locks beginning to appear that work with European doors, match the door furniture and look good. Case in point, the Bold smart cylinder lock which has just launched on Kickstarter. It’s a plug-in replacement for doors that use the Euro profile cylinder lock, comes in four different colours and looks like a door knob.

Bold Smart Cylinder Lock

The Bold uses Bluetooth technology so it unlocks based mainly on proximity of a smartphone or key fob using the Bold app. One of the big benefits of pure wireless (no keypad) is that all the electronics can be on the inside of the door, safe from both the elements and criminals. There’s no remote unlock feature so you can’t unlock the door from the comfort of your desk to let a neighbour in but you can invite or authorise them to use their own smartphone to unlock the door. There’s benefits of both approaches and you’ll have to think through your use cases to decide what’s best for you. A keyfob (say, for children) is available for extra cost.

Bold Key Fob

The Bold seems to keep it simple from a hardware point of view too. The Bold isn’t motorised so it doesn’t actually unlock the door itself, though it engages the handle with the mechanism so that the door can be unlocked (or locked) by turning the handle. The benefit of this is a much longer battery life (three years) and lower cost for the lock while eliminating the need for often troublesome moving parts.

The team appear to have given some thought to security, working with specialists Ubiqu and their qKey to provide a secure system. Can’t say that I’m qualified to comment further but it does provide some reassurance that the Bold team aren’t making it up as they go along. To see the Bold in action, check the video on the Kickstarter page.

If this interests you, the lowest price point currently available is €149. Just remember with all things Kickstarter, there’s a risk to your money so don’t spend what you can’t afford. You might also want to check the dimensions on your door to check that the Bold doesn’t foul existing door handles.

Personally I’ve mixed feelings about smart locks. While I know that most door locks can be defeated by the determined criminal, I’m still confident that once I close my front door behind me and turn the key, that door is going to stay locked. With smart locks, there’s still that kind of nagging feeling that it might automagically unlock itself…and of course a mechnical lock is still going to be working in ten, twenty, thirty years’ time. Still, I’m tempted…..


Devolo Updates Home Control



Devolo LogoLast night Devolo pushed out a major update to its Home Control platform, providing additional functionality in four new areas. The update occurred painlessly on my system and while I wasn’t able to fully explore the new features, I’ve managed a few screenshots.

Devolo New DevicesFirst, there are three new supported devices with two sensors, flood and humidity, and one actuator, a siren, which are all coming soon. It’s not clear if the siren is for internal or external use though it will be useful in rounding out the security features of the system.

 

Second, there’s now integration with Philips Hue lighting system and Home Control picks up the configuration directly from the Hue hub, inserting the available lights into the list of devices. This addresses what I felt was one of the main flaws with Home Control and brings it up to scratch, as it were.

Devolo with HueThird, Home Control has improved third party integration with web services and this comes in two parts. The first is what Devolo are calling “scene sharing” and this is the ability to trigger remotely a scene (e.g. living room lights on). Effectively, this allows integration with tools like IFTTT, so you can do things like “If my GPS says I’m within 300m of home and it’s dark, then turn the hall and porch lights on.”

Devolo 3rd Party IntegrationThe second part of this integration allows the Home Control system to access other devices by URL, e.g. http://……, so if another device can “do stuff” via a web address, then Home Control can potentially access it. I haven’t explored this area but I imagine you could use this to integrate with other 3rd party devices like webcams that often present a web-based view, as well as working with IFTTT.

Finally, the dashboard functionality has been improved with the option to now have multiple dashboards so that it’s easier to construct different views of your smart world. For example, you could have a room-based dashboard or a device-based dashboard that could be used for a security view of the home. Again, I didn’t get a chance to play with this functionality so can’t comment in more detail, but it looks handy.

Overall it’s a worthwhile update that brings some much needed functionality to Home Control.


272 million emails and passwords leaked from Gmail, Hotmail and more



It seems that not a day goes by without some security news, usually in the form of a breach. There have been some big ones too, from Target to Home Depot, as well as online ones, including the embarrassing Ashley Madison one.

Now we have the latest news, and it’s up there with the largest in history. 272 million emails and passwords from the likes of Gmail, Hotmail and others have been leaked.

Before you panic too much, realize that the data obtained consisted largely of data that had been seen before. Hold Security, which broke this news, claims that “Only 0.45 percent is new, meaning that only 1 out of 200 credentials are ones we have never seen before”.

The hacker was simply trying to unload the data and contacted the security firm asking only 50 rubles, which is less than $1 US. Not wanting to contribute anything to this cause the Hold Security company negotiated and received the information for free.

Hold claims “When we peel back the layers and dig deeper, we find that the hacker is holding something back from us. Within several days of communication and after a couple more strategically timed votes on his social media pages, he shared more useful information. At the end, this kid from a small town in Russia collected an incredible 1.17 Billion stolen credentials from numerous breaches that we are still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials — 15 percent of the total, that we have never seen before”.

Yes, this has the potential to be very bad, but right now we just don’t know. We also don’t know why the hacker was trying to unload it so quickly and then ended up giving it away. Stay tuned as this unfolds.


Ransomware threat grows as April sets a new record



bigstock-Computer-Hacker-in-suit-and-ti-31750772

Ransomware is the latest phase in online fraud. Think of it as an old-time mafia shake-down. It amounts to protection money. Your data gets encrypted and you have to pay to unlock your own files. It’s a deplorable practice, but unfortunately also a lucrative one.

And it’s that promise of money that keeps the market for these things going. In fact, a new report claims April was the biggest month yet for this sector of malware.

Enigma Software Group did a study of all infections, covering more than 65 million since April 2013. The results were disturbing. It claims it “found that ransomware in April 2016 more than doubled the total from March 2016. Additionally, ransomware made up a larger percentage of overall infections in April than in any other month in the last three years”.

The trend has resulted in some high-profile attacks, including a hospital being hit. In many cases, it’s both individual users as well as businesses.

“It’s not just businesses that are being hit by ransomware”, says ESG spokesperson Ryan Gerding. “Every day thousands and thousands of people turn on their personal computers only to find their most precious photos and other files have been locked up by bad guys”.

The best defense against these attacks is to backup your data, either in the cloud or on an external drive that you can disconnect from the network, a it propagates across drives and computers to ensure that you have no access to it. There is also the usual advice — think before you click links and keep your system up to date, both OS and software.

Image Credit: Bigstock