Wednesday, December 13, 2017

Travels need to beware leaks in RFID security


IBM has an article warning travelers to beware of their security on hotels with magnetic key locks, with RFID technology (radio frequency ID). 

There are a number of dark web tools which can break them or hack components on mobile phones.
High-profile people are more likely to be targeted.


I sometimes simply put laptop computers away and out of sight in hotel rooms when traveling.  If I have a rent car for the day, I tend to take them with me.  I may want them to blog anyway.

The article mentions Faraday cage technology to protect access cards and credit cards (a microcosm of the EMP threat). 

Recently, my own car access key triggered the alarm of the next car in a garage.  While I’m at it, I’ll note how easy it is to get in the wrong car that looks like yours on the road.  One time I did this by accident in a sudden summer thunderstorm. The unlocked car had the same newspapers, road atlas, and clutter on the front seat, amazing coincidence.  I didn’t notice the apartment tag for a whole minute. 

You play on the road, you can't get a walk-off win.  You need your bullpen. 

Saturday, December 09, 2017

Will telecom providers (without net neutrality) buy their own anti-virus companies and enforce their own standards for sites that can connect?


I wanted to notice that I’ve noticed that occasionally Trend Micro ratings of websites slip back from green to untested.  This has happened to one of my Wordpress sites, and to other reputable sites belonging to individuals whom I know.

Sometimes this may happen after sites undergo major restructuring, with elimination of old links and adding many new ones.

I also wanted to mention that I’ve been keeping an eye on the “https everywhere” issue.  On Nov. 13 I discussed Blogtyant’s long-winded advice on this issue, which appeared rather suddenly (I had prodded Ramsay on this matter several times).

In the short run, I don’t think that sites that don’t take personal information, do financial transactions, or require login present a risk without SSL.  But remember Ramsay encourages webmasters to seek out customers and offer email signon, which is going to require more confidence from subscribers.  

Other observers encourage SSL because in many parts of the world people cannot visit the web without being spied upon by governments.  That is one reason why Electronic Frontier Foundation has pushed “https everywhere”.

I bring this up again today a bit speculatively in conjunction with the ending of “net neutrality as we know it” after a Dec. 14 vote.  Actually, the issue will probably be litigated for a long time (as far as the most doomsday predictions of how telecom companies would milk small business, which I don't see a genuine economic incentive for them to do).  But one development that looks pretty likely (economically, even) to me is that telecom providers will buy their own web security companies and offer their own anti-virus, and courts will almost certainly say that this is OK.  They already offer their own home security (I use Cox) which probably sounds like a good thing for consumers, but requires a lighter touch from regulators to be available.

This sounds important to web publishers because telecom companies would then probably offer to block sites that don’t have green ratings from their own anti-virus providers.  As I noted before, these ratings are often fickle  The companies might have to be more transparent on how they assign ratings (which in turn could invite subversion or compromise by overseas criminals).  They might have to be review new sites sooner, but this could open up the idea of standards that a site needs to be viewed as “legitimate”, a potential problem for small business.

The other requirement, of course, is that a telecom company could refuse connection (or offer to refuse it) to any site not “professional” enough to offer https.  (Although until relatively recently many newspapers didn’t offer https on ordinary stories:  it was paywalls that got them into doing this.)

That’s a problem for someone with multiple domains, if the hosting provider allows only one addon (per account) to do https.  This has been the case for BlueHost, but I see now that BlueHost has a link for activating it (even “free”).  I will check in to whether this works for multiple addons (which Bluehost has an internal A-record structure for that links them to a master domain) and report soon (by early 2018 at the latest).

Sunday, December 03, 2017

Phishing emails now threaten Apple account suspension


I continue to get a lot of phishing emails claiming to be Apple claiming I purchased services and games in third world countries, never showing up on a credit card statement.  I don’t know if it hurts me if somebody impersonates me in Indonesia or Kazakhstan.

But today I got one claiming my Apple account was about to be suspended.   The domain had a .nl TLD.  Many of the emails come from “my.com”. 

I forwarded these to reportphishing@apple.com.

I do note that Apple now enforces two-step verification to sign on to iCloud on a laptop or desktop,  For some reason, my photos haven’t backed up since Oct. 1, even though I have separate WiFi from Cox on my phone when at home. 

Wednesday, November 22, 2017

Uber hack may need self-protection by consumers


Fortune Magazine has rather stern advice for consumers regarding the recent Uber hack, here

Uber hasn’t yet said how it will notify consumers or whether it will force a password reset.  The article says do it.  And don’t use the same password you use on other accounts.

Fortune disagrees with Uber's contention that consumers don't need to worry. Bur Fortune, despite the title of the article, really doesn't tell you how you can tell if you were affected. 

  

Of course, what’s so disturbing is that Uber apparently paid off the hackers and didn’t tell anybody for a long time. Presumably the hackers threatened to give the data to other hackers.  It’s like naming names. See something, say something. 

Tuesday, November 14, 2017

Has the NSA made us all targets of foreign enemies?


The New York Times has a long and detailed story of the breakdown of the work of the “Shadow Breakers” at the NSA, and how the tools of the group were taken and used to develop ransomware to target some consumers, especially less secure companies and hospitals last spring.

The booklet-length article by Scott Shane, Nicole Perlroth, and David E. Sanger appears here. 
  
You wonder how safe any computer or website or company will be against an enemy that is determined and combative enough, to infiltrate the NSA through employees or contractors.

  

And EFF has made so much of the surveillance issue over the years. 

Monday, November 13, 2017

Well-known blogging consultant urges everyone to go to https now -- but it's complicated


Ramsay Taplin, Australia’s “Blog Tyrant” has come up with a detailed post on how Bloggers can convert their sites to https, link
  
It’s important to remember that this applies only to specific domains, not to subsites of Blogger or Wordpress.


I wrote a detailed comment.  Since the comment period is time-sensitive, I’ll reproduce my own comment here:

How important is https for a page that does NOT require user logon or collect user info? That does NOT process funds, PII, etc.

I have four domains on BlueHost, which as of now will set up one as SSL (with an enhanced SiteLock passage). I did pick one of the addons (because it is possible to do transactions on it although i do them rarely in practice). In my case that is doaskdotellnotes.com (not the site I have shared most often). I am expecting BlueHost will change things so that all four can be https. Also, Google’s free Blogger will make all free domains https but does not with those that have their own domain names.  That is because SSL is by main domain name (e.g. blogger.com int he case of Google). That also seems true of Automattic  (example) https://jboushka.wordpress.com/ (there’s not much there — that’s a copy of some old stuff). It wo uld be helpful to know if Google, WordPress, BlueHost etc will do anything soon to make this “easier”.
You can navigate to my Blogger Profile.  “Movie Reviews” “Book Reviews” and “Bill Boushka” all resolve to specific domain names and right now do not have https.  The other thirteen are Blogger subdomains.  They can be viewed with or without https.  Some embedded videos from some news sources do not yet work when viewed in https.
Ramsay’s directions are very long and complicated, and I would wonder how many bloggers have the time to do this.  The blogging business paradigm that he advocates generally works with niche blogs aimed at very specific audiences, and often go along with small businesses that actually would use email lists.  This might be very hard for a lot of small businesses to do.
I suspect BlueHost and other providers will make this simpler in the future.  Business persons should also consider hacker security protection like SiteLock.
Electronic Frontier Foundation has long urged all websites to go to https, even those that don’t require logon or do transactions or collect PII.
I’ll come back to this in more detail in the near future (I don’t know how near) on my Wordpress news blog. 

Saturday, November 11, 2017

Criminals can make duplicate house keys from images created by apps


Recently local television stations warned consumers about the dangers to home security posed indirectly by apps that encourage you to photograph your house keys so that duplicates can be made.  Thieves have done this to go ahead and commit burglaries. 

Wired has a typical story by Andy Greenberg from 2014, here.    Some of the apps include KeyMe, KeysDuplicated and KeySave.

One risk is allowing parking valets to have access to house keys.

The reports don't way whether these apps would work with higher security locks like Medeco,