Showing posts with label IT security. Show all posts
Showing posts with label IT security. Show all posts

Monday, May 4, 2020

How to get 16GB free VPN every month from Windscribe

Windscribe defines itself as "a set of tools that work together to block ad trackers and web beacons, restore access to blocked content and help you safeguard your privacy online". Basically, it is a VPN service with some additional privacy and security protection features such as the R.O.B.E.R.T.

You should consider to use Windscribe if you are looking for a VPN provider that provides at least 10GB free monthly usage to you, without time limit (lifetime validity), without any ads annoyance, with reasonably fast and stable connection, and rapidly improving with new features and functions as well as servers coverage.


Previously, Windscribe used to provide promo code to provide as much as 50GB or even 60GB free monthly usage, but those promo codes are no longer valid. Anyhow, you can still get 16GB and more free VPN every month, by following the steps below.

Click here to create a new Windscribe account, and you will get 2GB free monthly VPN. Note that it is a referral link to give you an additional 1GB VPN per month. If your Windscribe account is opened without a referral, you will only get 8GB free monthly VPN in the next step, instead of 9GB.

Verify your email address with Windscribe, and you will get an additional 9GB free monthly VPN. That will add up to a total of 11GB free VPN per month.

Login to Windscribe website and go to your Account Overview page, click the "Tweet 4 Data" button and post the promotional info to your Tweeter account, you will get another 5GB free monthly VPN. That's how you can reach 16GB free VPN every month.

If you want additional free data, become a referral by following the instruction here. For each successful referral with confirmed email, you will get an additional 1GB per month together with your friend.

If you like Windscribe, you can also upgrade your account to Pro by paying subscription, which will provide you with unlimited VPN data usage, much more servers and locations availability, accessible with same account from unlimited devices, and full features. You can click here to upgrade to Windscribe Pro account with special discount.

Windscribe can be installed in:
  • Computers: Windows, Linux and Mac OS
  • Smartphones and tablets: Android and iOS
  • Web browsers: Chrome and Firefox (will only protect web browsing activity)
  • Routers that support OpenVPN connections
Windscribe supports the following VPN connection modes, and by default will automatically pick the best mode for you:
  • IKEv2
  • OpenVPN TCP
  • OpenVPN UDP
  • Stealth - encapsulates OpenVPN in a TLS tunnel via Stunnel
  • Wstunnel - encapsulates OpenVPN in a WebSocket
Why you need VPN? There are many reasons, to name a few:
  • Protect your privacy from the website or server you visit by masking your actual IP address and location.
  • Stay anonymous to the websites you visited by various privacy tools provided by Windscribe in addition to the VPN connection.
  • Block unwanted ads, malware, etc. with tools provided by Windscribe.
  • Hide your Internet activity from the network devices of public WiFi, company's network device, ISP network device, etc. which might have interest to log and trace your Internet activity.
  • Escape certain kind of data throttling imposed by WiFi provider, school, company, ISP, etc.
  • Escape certain kind of QoS bandwidth throttling imposed by WiFi provider, school, company, ISP, etc.
  • Bypass censorship imposed by WiFi provider, school, company, ISP, government, etc.
  • Access to website, service and/or content that only made available to certain region.
  • Enjoy discounted price available to certain region for online purchasing.
  • Securely access to your internal resources by using Windscribe Port Forwarding.
  • Manually route your network path to oversea server to achieve faster and/or more stable connection by selecting a strategic VPN location.
You might need to make use of Stealth or Wstunnel modes mentioned above in order to escape throttling and/or bypass censorship in certain tough situation.

Wednesday, January 22, 2020

Sciener A2F fingerprint smart digital door lock

Locks and keys have been used for decades to safeguard access to the door, for those with the valid key to unlock it only.

Traditional mechanical locks to lock/unlock with physical keys work great. However, their main disadvantages include:

  • Inconvenience for the necessity to carry the key.
  • The key can be duplicated.
  • The key could be lost, stolen or seized. Anyone with the key can lock/unlock the door.
  • The lock could be picked open by using special tools, without using the key.

Typical smart digital door lock is in fact a mechanical lock, with digital keys (well, there is another type of electromagnetic lock with digital keys too). Its main advantages include:
  • Not necessary to carry physical key.
  • Each person can be assigned a unique key, which enable tracing of who has used the key to unlock the door, by what time.
  • Key can be easily generated, and also revoked, by using software method.
  • Key could be replicated to multiple devices belong to the same authorized person.
  • Time based (the key can only be used during certain time period) or event based (the key can only be used once) access control is possible.

Digital key can be in the form of:
  • Biometric: fingerprint, palm, face, iris, voice, vein, ...
  • Passcode
  • Digital signature key pair
  • ...

And the data transmission methods between the key and the lock can be of:
  • Physical contact - fingerprint, palm, vein, ...
  • Computer vision - face, iris, QR code, ...
  • Voice recognition - voice
  • RFID
  • NFC
  • Electromagnetic wave - Infrared, Bluetooth, WiFi, ...
  • ...

The Sciener A2F fingerprint smart digital door lock is a product that combines security and convenience. It supports multiple unlock ways, including:
  • Fingerprint
  • Smartphone app unlock (eKey)
  • Smart watch (eKey)
  • Passcode
  • RFID card (touch access card, wristband, MyKad, Touch n Go card, credit card, debit card, other brand's RFID access card)
  • Physical backup key (for emergency purpose)
  • Smart speaker voice assistant command control (require WiFi Gateway module)
Sciener lock management functions - including assigning new key, key revocation, key management, key usage monitoring, user management, lock behavior setting, etc. are all done using the Sciener Smart Lock app available for free download in Google Play Store and Apple App Store.


The Sciener A2F fingerprint smart digital door lock has a pretty elegant and modern look, adding aesthetic to the door.


It is operated with 4 AA size batteries. Its battery consumption is pretty low, and the batteries in it can last for many months. The battery compartment is located at the lock behind the door, with a single button to open its cover.


The electronic components inside the Sciener smart digital door lock is illustrated as below.



(Picture from Sciener's website)

The Sciener app communicates with the lock using Bluetooth. Communication between the app and the lock is encrypted using Advanced Encryption Standard (AES) algorithm. The smartphone running the app needs to be near to the door lock (within Bluetooth communication range of 10 meters) for most of its function to work.

Optionally, the app can also communicate with the lock through Internet via a Smart Gateway module. In this way, you can use the app to access to the lock from anywhere, by using Internet connection.

After a new lock is installed, it needs to be paired with a user registered with Sciener. The user is identified by email address and/or phone number, and the user account is stored in Sciener's cloud database. The user info is automatically synchronized between the Sciener cloud and the mobile app login with a valid account.

That first user will automatically become the Authorized Admin to the lock, which has full access to all its functions and settings. The Authorized Admin can appoint other users as Authorized Admin to co-manage the lock. He can also revoke the Admin rights of the other Authorized Admin.

In the event when the property is sold to another person, the Authorized Admin can transfer the ownership of the lock to another user.

The lock has an internal clock, which when its time is synchronized with the smartphone clock of its Authorized Admin, the admin can use his Sciener app to generate new passcode or send eKey to other users to unlock the door, at any time and any place, even without the need of communicating with the door. The clock, settings and records of the lock will be synchronized with the admin's Sciener app from time to time, whenever they are connected with Bluetooth (i.e. when the admin's smartphone is at home with Bluetooth turned on to communicate with the door lock).

Sciener eKey and passcode can be created with the following time limit settings:
  • Permanent - can be used all the time until revoked.
  • Timed - valid from a defined start date and time until a defined end date and time.
  • One time - can be used to open the door once only.
  • Recurring - can be used within a time period during the defined day of week (e.g. every Monday only, every weekends only, etc.)
The passcode is automatically generated, but can also be manually changed to a number that can be easily remembered. Changing to manually created passcode need to be done near the lock with Bluetooth connection.

For fingerprint and RFID access, it can be:
  • Permanent - can access all the time until revoked.
  • Timed - can access from a defined start date and time until a defined end date and time.
All the door unlock records are stored in the lock, and the admin can view the records in his Sciener app.

With these multiple ways of flexible keys assignment to multiple users, Sciener A2F fingerprint smart digital door lock is very suitable for use in:
  • Family
  • Office
  • Shop
  • Rented residence
  • Short stay
  • Airbnb / homestay
  • Hotel
  • ... any other places you can think of
You can unlock the door even without carrying anything (by using fingerprint, or punching passcode at the lock's keypad) or by using your smartphone, smart watch, RFID card, etc.

The lock admin settings that can be configured in the Sciener app including:
  • Changing the default admin passcode used to unlock the lock.
  • Allow/disallow the lock to be unlocked remotely via the WiFi Gateway. When this is configured properly, you can even open the door using Sciener app when you are far away from home.
  • Set the timer for the lock to auto-lock itself after unlock, in any seconds.
  • Set the time period when the lock will be auto unlocked by itself - the Passage Mode. This is useful for shop or office environment to allow general access during day time, and keep the door locked during night time.
  • Set the lock to feedback with sound when operated, or be silent.
  • Synchronize the clock of the smartphone with the lock.
  • Retrieve records from the lock to the smartphone.
  • Perform lock firmware update. 


Sciener app is designed to be very flexible. A single app login with a single user is able to paired with multiple Sciener locks. You can also create grouping to the locks for easier maintenance. Each of the locks will have a user definable name for identification.

Note that certain digital door lock can be easily hacked and unlocked with a small device called Tesla Coil black box. Being an industry leader, Sciener is aware of this and their locks, at least the latest version of their locks, are immune to Tesla Coil attack.

Another common security concern is brute force trial-and-error on the passcode. Sciener lock's keypad is designed to stop working for a period of time after 5 attempts of wrong passcode entry. while the keypad is temporarily locked, the lock can still be opened by using other methods such as fingerprint, RFID card, physical key, etc. This makes the lock hack deterrence and yet fool proof.


Wednesday, July 11, 2018

Insecurity in the Internet of Things (IoT)

The Open Web Application Security Project’s (OWASP) List of Top 10 Internet of Things (IoT)Vulnerabilities sums up most of the concerns and attack vectors surrounding the IoT category of devices as below:
  • Insecure web interface
  • Insufficient authentication/authorization
  • Insecure network services
  • Lack of transport encryption
  • Privacy concerns
  • Insecure cloud interface
  • Insecure mobile interface
  • Insufficient security configurability
  • Insecure software/firmware
  • Poor physical security

During a research by Symantec in 2015, they found issues such as the following:
  • Around 19% of all tested mobile apps that are used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud
  • None of the analyzed devices provided mutual authentication between the client and the server
  • Some devices offered no enforcement and often no possibility of strong passwords
  • Some IoT cloud interfaces did not support two-factor authentication (2FA)
  • Many IoT services did not have lock-out or delaying measures to protect users’ accounts against brute-force attacks
  • Some devices did not implement protections against account harvesting
  • Many of the IoT cloud platforms included common web application vulnerabilities
  • 10 security issues were found in 15 web portals used to control IoT devices without performing any deep tests. 6 of them were serious issues, allowing unauthorized access to the backend systems.
  • Most of the IoT services did not provide signed or encrypted firmware updates, if updates were provided at all
 
The above information is excerpted from a Symantec white paper regarding the Insecurity in the IoT.
 
 
 

Thursday, July 5, 2018

WiFi Alliance introduced WiFi Certified WPA3 to replace current WPA2 security standard

WiFi Alliance has just introduced WiFi CERTIFIED WPA3 (Wi-Fi Protected Access version 3) as the next generation WiFi security standard, bringing new capabilities to enhance WiFi protections in both personal and enterprise wireless networks.


Key capabilities of WPA3 include:
  • WPA3-Personal: more resilient, password-based authentication even when users choose passwords that is simple to remember. WPA3 will leverage on Simultaneous Authentication of Equals (SAE), which is a secure key establishment protocol between devices, to provide stronger protections for users against password guessing attempts by third parties.
  • WPA3-Enterprise: offers the equivalent of 192-bit cryptographic strength, providing additional protections for networks transmitting sensitive data, such as government or finance. The 192-bit security suite ensures a consistent combination of cryptographic tools are deployed across WPA3 networks.
With the evolution of WiFi security from current WPA2 to WPA3, we can expect:
  • WiFi password to be a lot more difficult to crack.
  • WiFi CERTIFIED Easy Connect - IoT devices can connect to WiFi network more easily.
  • WiFi data sniffed and recorded without knowing your password will not be able to decrypt even if your password is obtained later.
  • WiFi CERTIFIED Enhanced Open - communication in open connection (WiFi connection without the need of any password) will also be encrypted, therefore much more secured than WPA2 open connection. In current WPA2, if the WiFi is connected using open connection without the need of password, the communication between the WiFi connected device and access point is not encrypted.
  • Stronger WiFi encryption by replacing the existing PSK (Pre-Shared Key) system in WPA2 with the new SAE system.
Anyhow, in order to enjoy the benefits of using WiFi WPA3, both the access point (or wireless router) and the connecting device must support this new WiFi security standard. Devices that support WPA3 will probably hitting the market from year 2019 onwards and gradually replacing the existing which only support up to WPA2.



Wednesday, June 27, 2018

About the Cyber Kill Chain

The Cyber Kill Chain introduced by Lockheed Martin is a cybersecurity model to describe, in general, how a computer intrusion (hacking) through IT network is carried out in 7 distinguished stages. It was developed based on military attack kind of thought.

Anyhow, there is no common SOP in cyber-attack, and hackers are not necessary following the Cyber Kill Chain of planning and action in their attacks.

This model is however useful to plan for cyber-defense strategy and measure, and also for cyber-threat analysis to a networked computer system.

The 7 stages in Cyber Kill Chain are:

  • Reconnaissance - the victim is observed, analyzed and studied by the attacker.
  • Weaponization - tools are developed or obtained to exploit the weaknesses found in the victim.
  • Delivery - the "weapon" is deployed to the targeted victim.
  • Exploitation - once the "weapon" is successfully deployed, it will start working by looking for vulnerabilities in the victim's computer system.
  • Installation - at the stage, access is silently obtained by the "weapon". It will find it way to communicate to the attacker using the computer network. Normally, a backdoor is established to enable such linkage.
  • Command and Control - remote access to the victim's computer system is made available to the attacker. The attacker can take over control of the compromized system and issue command to it.
  • Actions on Objectives - with the control, the attacker is able to proceed with the objectives of the attack, such as data exfiltration, data destruction, data encryption for ransom, etc.



With reference to this model, the defending party can plan for countering the attack by the famous 4 Fs strategy, namely:
  • Find the enemy
  • Fix the enemy
  • Fight the enemy
  • Finish the enemy

Thursday, June 21, 2018

Cryptography - the essential technique in today computing world

Cryptography is the method of converting plaintext information into non human-readable form called ciphertext through a process called encryption, and reverse process to convert the ciphertext back to original form called decryption.

Today, knowledge in cryptography is crucial for every computer programmers and computer engineers. It is applied in everywhere in the cyberspace and it is a sin of omission if not applied properly to provide cybersecurity protection in the areas of confidentiality, integrity, authentication, and non-repudiation.

Cryptography is the integral part of blockchains and crypto-currencies such as Bitcoin, Ethereum, etc. It is used to secure data transmission in WiFi communication, 4G LTE network, HTTPS web access, etc. It is also extensively used to secure file system in Apple iOS, Windows Bitlocker, SSD encryption, etc. It enables the implementation of digital signature.

Cryptography makes use of digital key(s) to perform the encryption and decryption process. There is one kind of cryptography called hashing which does not make use of any key, and the ciphertext is non-reversible to original information.


Keyless Cryptography (Hashing)
Hashing is a one way function that convert its input message into irreversible string of text called hash or digest, which normally has a length much shorter than the input message. The key concept of hashing is that the generated digest is unique to the input message, so that same input message will always generate the same digest, and different input message will not generate the same digest.

Hashing is commonly used:
  • To store password for identity authentication
  • To generate checksum or fingerprint to verify if the original information has not been tampered or changed
  • In database and data storage for more efficient data searching
  • In computer geometrics and computer graphics

Examples of hashing function are:
  • MD5 (Message Digest 5) - designed to replace earlier version of MD2 and MD4. Still commonly used despite MD6 has been around to replace it.
  • SHA-3 (Secure Hash Algorithm 3) - winner of the NIST hash function competition.  Commonly used in digital certificates. Supersedes earlier version of SHA-0, SHA-1 and SHA-2.
  • BLAKE2 - Used in RAR compressed file checksum. Supersedes earlier version of BLAKE.


Symmetric Key Cryptography (Private Key Cryptography)
The same private key is used for message encryption and decryption.

It is commonly used in secured data transmission, such as SSH, WiFi with password, 4G LTE communication, etc.

Examples of symmetric key cryptography are:
  • DES (Data Encryption Standard) - designed by IBM in 1970's. Modern supercomputer is able to decrypt DES encrypted information within just a few days. Still commonly used in smart cards, SIM cards, etc.
  • 3DES (Triple DES) - more secure version of DES.
  • IDEA (International Data Encryption Algorithm) - commonly used in Pretty Good Privacy (PGP) email signing and secured email transfer.
  • ThreeFish - is the successor of Blowfish and TwoFish. Commonly used in SSH secured remote access.
  • RC6 (Rivest cipher 6) - designed by RSA Security, patent just expired in 2017. Commonly used for secured data transmission and in bank ATM machines. Is the successor of RC2, RC4, RC5.
  • AES (Advanced Encryption Standard) - commonly used by USA government and commercial sector to protect top secret documents.

Asymmetric Key Cryptography (Public Key Cryptography)
Consists of a key pair. The private key that should be kept secret with the owner, and the public key that needs to be known by others.

In the scenario of digital signing, the private key is used to sign the digital document, and the public key is used to verify the digital signature.

In the scenario of data encryption, the public key is used to encrypt the document to be sent to the private key owner, and the encrypted document can only be decrypted using the corresponding private key.

It is commonly used in Secure Socket Layer (SSL), Transport Layer Security (TLS), S/MIME, digital signature, blockchains and crypto-currencies.

Examples of asymmetric key cryptography are:
  • RSA (Rivest-Shamir-Adleman) - named after its 3 designers. Patent expired in 2000. Compared with DSA, it is slower in digital signing and faster in verification.
  • DSA (Digital Signature Algorithm) - patented but can be used royalty free. Commonly used in SSH and digital signature. Compared with RSA, it is faster in digital signing and slower in verification.
  • ECC (Elliptic Curve Cryptography) - derived from DSA and based on Elliptic Curves theory. Commonly used in Bitcoin, Ethereum, iOS, etc.
  • Diffie-Hellman - is used for public key exchange and not for digital signing or data encryption.

Tuesday, June 12, 2018

Is your organization still following the outdated password policy?

If you were told or forced to set up a so-called "strong password" which required to be determined as complex (must consist of combination of uppercase letters, lowercase letters, numbers, special characters, and so on...) just to safeguard your user account from password guessing, peeping, and/or brute-force attack, the policy is outdated and should be obsoleted as soon as possible.

If you were also told or forced to change your password periodically, let's say every month or so, that thinking also has been admitted by certain cybersecurity experts to be foolish and will not make your account more secured.

Indeed, it only serves to make your life more difficult, and makes your account much more vulnerable if you eventually did either one of the following attempts to help remembering your latest password:

  • Write your latest password on Post-It notes or inside your diary book.
  • Tape your password somewhere near your computer (similar way to what character Nolan Sorrento in movie Ready Player One did).
  • Keep your password in a computer file (text, Word, Excel, ...), either password protected or not.
  • Store it with your web browser's auto-complete feature.
Apparently, the outdated password policy that required complex password and frequent change was derived from a 2003 National Institute of Standards and Technology (NIST) report namely "NIST Special Publication 800-63. Appendix A."

Interestingly, it is also NIST who has overthrown its own password guidelines in its recent NIST Special Publication 800-63A report namely "Digital Identity Guidelines:  Enrollment and Identity Proofing Requirements." released in June 2017. You can download the complete report here for free.

The new report has made the following important suggestions:
  • Verifier SHOULD NOT impose annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. They make most people remembering password by Post-It notes or computer file. It's better to allow people to use pass phrases.
  • Verifier SHOULD NOT bother user with password expiration. That was an old idea for an old way we used computers. Only force a password change when there's indication of compromise.
  • SHOULD use dual factor authentication (2FA). This is the proven to be the more robust and secure way.
Dual factor authentication adds an additional layer of security by requiring not only the password, but also another piece of information that only the account holder has or know. One of the most commonly used method for dual factor authentication is one-time-password (OTP) which could be  event-based (OTP is generated by triggering an event, such as a keypress, explained in RFC 4226) and/or time-based (OTP will keep on changing by time, explained in RFC 6238).

The account holder need to read the OTP from a token, and use it for successful account login. The token can be generated from a hardware device such as key fob, display card, USB authentication key, OCRA keypad, etc. It can also be generated and delivered to the account holder by software, in the form of SMS, email, mobile app display, push app notification, etc.

Note that the use of SMS or email for OTP is also outdated method which is vulnerable to trojan horse interceptions and/or malicious software crack-in. You can search the Internet for the following keywords to read more about how insecure to use SMS for OTP:
  • ZeuS-in-the-Mobile (ZitMo)
  • SpyEye-in-the-Mobile (SPITMO)
  • Android.Bankosy
Besides, the OTP in SMS and email is very likely to be sent in plain text form, which subject to ISMS threats of interruption, interception, modification and fabrication along its way.

Therefore, all organizations should update their password policy for all users to be:
  • Use pass phrases instead of password
  • Use dual factor authentication with secure token (avoid using the outdated SMS or email method)

Sunday, April 22, 2018

Google Chrome and Firefox will distrust websites with SSL/TLS certificate issued by Symantec / Verisign / Thawte / GeoTrust / RapidSSL

Web browsers Google Chrome (with 57.69% global market share as of March 2018) and Firebox (with 5.4% global market share as of March 2018) will start to distrust all the websites with SSL/TLS certificate issued by Symantec, Verisign, Thawte, GeoTrust and RapidSSL.

This means that soon in the near future, every time when you visit such websites using HTTPS protocol with Google Chrome, Firebox and possibly other web browsers which follow suit, the browser will give you a security warning before you can read their webpage.

Some of the affected popular websites including (but not limited to)...

 



In late 2017, DigiCert has acquired Symantec's Website Security and related PKI solutions which was the Certificate Authority for those affected Symantec, Verisign, Thawte, GeoTrust and RapidSSL SSL/TLS certificates.

Webmasters of all the affected websites can make arrangement with DigiCert to replace their SSL/TLS certificates with a new one issued by DigiCert, which is still trusted by Google Chrome and Firefox.

You can click here to read for more information about this issue.

Wednesday, September 20, 2017

CCleaner official download was hacked and infected version containing malware released to public - how to fix

CCleaner by Piriform (recently acquired by Avast) is a famous software that comes with both free and paid versions, made available to Windows, Mac and Android users to do housekeeping in their computer or Android smart mobile device to clean up junk files and junk registry entries, in order to optimize the computer to maintain running smoothly. It claims to have achieved over 2 billion of downloads now. There is also a cloud version available.


If your computer has CCleaner installed, you need to be aware that during the period between mid-August to mid-September 2017, the official download site of CCleaner was hacked, and the official CCleaner installer had been replaced with a version containing malware that will compromise your computer. The "contaminated" CCleaner version had been distributed to all the 3rd party download sites as well!

If you installed or updated your CCleaner with the version containing the malware, then your computer is infected.

This is a kind of supply chain attack, will is considered a very effective way to distribute malicious software into target organizations or general public. The attackers are relying on the trust relationship between the supplying source (such as official release source) and the consumer. This trust relationship is then abused to attack organizations and individuals.


Which versions are affected?

  • CCleaner v5.33.6162
  • CCleaner Cloud v1.07.3191
It is said that the affected versions were for 32-bit Windows PCs, and the CCleaner for Android is probably safe. Newer official released versions of CCleaner (version 5.34 and above) are also safe as there will be no malware included (finger-crossed).


What the malware possibly do?

This malware was detected and reported separately by Cisco's Talos Intelligence Group and also the Morphisec's security team.

According to their analysis, this malware will collect information in your computer, including network connection detail, running processes, installed software, anything running with administrator privileges, etc. It will encrypt the information and send back to the hacker's server using HTTPS posting method.

The hacker's server can make use of backdoor created by the malware to send codes to be executed with administrator privileges at the infected computers.


How to fix?

If your Windows computer is installed with CCleaner, you should uninstall it immediately, regardless of the version. After that, if you still want to continue using CCleaner, you can download and reinstall the uninfected latest version (version 5.34 and above) from its official download site.


Reference sources:

Thursday, October 6, 2016

Top 10 database security threats

Databases are among the most valuable assets in the information system as they store valuable and vital data and records of the business. As such, they are also among the most interested place of intrusion for hackers, attempting to gain access to confidential and sensitive information from within.

California based cyber security solution provider Imperva has been consistently publishing the Top 10 Database Security Threats white paper every year.

From year 2013 until 2015, this top 10 database security threats remained as the same listing, with the same ranking, as below:

  • 1. Excessive and Unused Privileges
  • 2. Privilege Abuse
  • 3. Input Injection (SQL Injection)
  • 4. Malware
  • 5. Weak Audit Trail
  • 6. Storage Media Exposure
  • 7. Exploitation of Vulnerabilities and Misconfigured Databases
  • 8. Unmanaged Sensitive Data
  • 9. Denial of Service (DoS)
  • 10. Limited Security Expertise and Education
According to Imperva, the top 9 threats above can be addressed by using an automated Database Auditing and Protection (DAP) platform, which is an approach that improves security, simplifies compliance, and increases operational efficiency. The 10th threat is "human factor" by negligent employee or contractor.

The white paper outlined a multi-layered database security defence strategy encompassing:
  • Discovery and Assessment: to locate where database vulnerabilities and critical data reside.
  • User Rights Management: to identify excessive rights over sensitive data.
  • Monitoring and Blocking: to protect databases from attacks, unauthorized access, and theft of data.
  • Auditing: helps to demonstrate compliance with industry regulations.
  • Data Protection: to ensure data integrity and confidentiality.
  • Non-Technical Security: to instil and reinforce a culture of security awareness and preparedness.
"Failing to safeguard databases that store sensitive data can cripple your operations, result inregulatory violations, and destroy your brand. Understanding the top database threats and implementing the solutions outlined in this paper will enable you to recognize when you’re vulnerable or being attacked, maintain security best practices, and ensure that your most valuable assets are protected." -- Imperva, 2015

You can download the complete white paper to find out more detail of this interesting defence strategy.
 

Monday, August 22, 2016

GuardKey - your sensitive data protection solution for local storage, portable storage and also cloud storage (ie. Dropbox, Google Drive, OneDrive, etc.)

"A lot of people use Dropbox.

A lot of people put a lot of valuable, sensitive and personal data inside Dropbox.

A lot of people make the mistake of not encrypting their valuable, sensitive and personal data before they put it inside Dropbox.

Which all adds up to a whole heap of trouble if Dropbox suffers a data breach."

-- Quoted from Graham Cluley's article titled "The huge Dropbox password leak that wasn't".

Yes, your data in cloud storage such as Dropbox needs a second layer of protection despite being well encrypted and taken care by Dropbox.

This is because most of the time, the data in your cloud storage can be easily accessed once your password is obtained or hacked.

Worse still, most cloud services such as Dropbox provides the convenience for you to stay logon once you successfully signed in from their apps, be it from a computer or mobile device. This means that whoever obtained physical access to your computer or mobile device with an active logon session to your cloud service, can easily access to your data without even the need to know your password!

Nowadays, most cloud services like Dropbox do provide option for additional security through 2-step verification which requires second verification through SMS, USB key, etc. beside your password. However, novice users find it difficult to configure and activate, and there is limitation in the USB key method, such as, can only be used when accessing the cloud service with Google Chrome browser. In addition, this 2-step verification doesn't solve the open session loophole as described in the above paragraph.

I found a wonderful product called GuardKey which perfectly fills this gap of needs by offering data encryption and concealing solution to not only your cloud storages, but also your local storage (eg. harddisk, NAS storage, SAN storage, etc.) and portable storage (eg. USB drive, SD card, etc.).


GuardKey is a USB dongle with the following components:
  • A unique AES-256 encryption/decryption key.
  • A Windows software to be installed in your computer to perform seamless data encryption and decryption to your Safebox (an invisible folder in your storage device that everything in it will be protected by GuardKey).
  • 8 GB of free empty storage, for you to use the USB dongle as normal USB drive.
This metallic USB key has a solid and durable look and feel.

There is always a trade-off between security and convenience. The higher the security measure, the more inconvenience for the user it become, and vice-versa. The beauty of GuardKey is it provides a wide range of flexibility level to the user to determine between high security and high convenience.

If user opts for high security, the Safebox can only be opened with the USB dongle and a password. In a more convenient level, it only needs the USB dongle without the need of entering password. Plug in your GuardKey dongle, you have access to your Safebox; pull out your GuardKey dongle, your Safebox will be hidden, and even if found, all the data inside it is encrypted with AES-256 (Advanced Encryption Standard with 256 bits cryptographic key length) encryption, which is a military grade encryption method that recommended by NSA for US government to protect Top Secret grade of information.

Alternatively, you can also make it possible to unlock the Safebox without using the USB dongle, by using the GuardKey Viewer mobile app. The mobile device running GuardKey Viewer needs to be paired with the GuardKey application running in the computer before it can be used as Safebox mobile unlocker.

There are 2 levels of mobile unlock security: by using a six digit one-time-password (OTP) which changes every minute, or by using a combination of random sequence of images together with the six digit OTP.



GuardKey supports the creation and usage of Safebox in local disk (including portable storage) and also in Cloud storage.


Supported cloud storages including Dropbox, Google Drive, OneDrive, ASUS WebStorage, Box, SugarSync, and other cloud storages that sync with local disk, which the user needs to inform GuardKey about the location of the sync folder.


GuardKey supports one Safebox for each of the storage drive. The screenshot below shows I've created one Safebox for local drive D, and another for Dropbox.


The data inside these Safeboxes are encrypted and not accessible until they are unlocked by GuardKey. A virtual drive will be mounted with the Safeboxes now accessible as folders in the mounted drive. Once they are relocked, they will disappear from the virtual drive, and if all the Safeboxes are relocked, the GuardKey virtual drive will also be unmounted and disappear.


By using GuardKey, you can therefore ensure that all your AES-256 protected data in Safebox will remain be unreadable and inaccessible, even though your computer is stolen, seized or hacked. By encrypting your files and folders in cloud storage with GuardKey, you can also protect them from leaking and exposing through hacking or unauthorized access to your cloud storage account.

The same GuardKey USB dongle can be used in multiple computers to access the encrypted data in your cloud storage from different computer, so that you can access to your files from any one of the computers installed with GuardKey by using your dongle. In addition, you can also access your Safeboxes in cloud storages from within your smartphone by using the GuardKey Viewer mobile app.

GuardKey is a well thought product. In case you lost your USB dongle and you have not enabled mobile unlock option, you are still able to unlock your Safebox and rescue the data inside by using the backup AES-256 key residing in your local disk, which requires your password for its usage.

If you are concerned about this "backdoor" measure for emergency data retrieval, you can store your AES-256 key in another USB disk and lock it in a secured physical safe, then delete and wipe out the backup key in your local disk residing in data folder of GuardKey installed path.

Although the metallic GuardKey dongle is solid and looks durable, you might have the question of what if it is faulty and no longer usable. Without the key, how are you going to access to your valuable data protected by GuardKey? This situation has also been thought about, and there is a mechanism within the GuardKey software to allow you to duplicate the dongle to another USB disk.

As a conclusion, GuardKey is found to be very flexible between security and convenience, which you can adjust according to your need. In high security mode, I believe it is fit for commercial and industrial use. While in high convenience mode such as unlocking on the fly with USB dongle without the need of password, it can still protect your data, provided that your USB dongle does not fall into the hand of other people who at the same time also has your computer with them.



Wednesday, August 3, 2016

The hacking of Telegram app and the vulnerability of relying on SMS as authentication method

Yesterday (2 August 2016) there was news about 15 million Iranian Telegram users mobile phone number exposed and more than dozen accounts compromised by hackers.

A chain is only as strong as its weakest link. This incident exposed that SMS, which is currently commonly used as authentication method in many online services including online banking systems, is vulnerable to security breach and could be the weakest link in the security measure.

Coincidently, Focus Malaysia Issue 191 dated 29 July 2016 has also just discussed about this vulnerability in its featured article titled "Overcoming The Two-Factor Vulnerability: When it comes to securing your web accounts, two-factor authentication using SMS is safer than just a standard password. But recent cases have shown that it might be time to move away from that."

Why is it not a good idea for online service providers to make use of SMS as security measure?

Firstly, the sending and receiving of SMS is depending on the telco service, which is totally out of control of the online service providers. Therefore, it is vulnerable to listening, hijacking, impersonating, replicating, and other kinds of security breaches along its sending and receiving process.

Secondly, technically speaking, personnel working in the telco can also easily manipulate the SMS as the control is with them. This is very likely the case as happened to Telegram users in Iran.

Thirdly, as mentioned in the article in Focus Malaysia, the code sent by SMS can be obtained using social engineering.

Fourthly, as SMS is sent to the phone, in the event the user lost his/her phone with the mobile apps of online banking, online stockbroking, etc., if the mobile apps are using SMS for authentication, whoever who got the phone can easily take control of the user's accounts, unless the SIM card in the phone is immediately barred, which then disables its SMS function.

As for the case of Telegram app, you can further secure your Telegram account by activating two-step verification, which will require your password to login beside your mobile phone number.

To activate two-step verification in Telegram app, go to Menu > Settings > Privacy and Security > Two-Step Verification and set your recovery email there. Your email can then be your last resort to safeguard your account from hijacking.







Thursday, May 5, 2016

Today is World Password Day

Today is the  first Thursday of May, the World Password Day! It is observed to create awareness of the need for good password security practice.

Nowadays, password is used everywhere,  being a commonly used security mechanism for:

  • identity verification
  • authentication of access control
  • encryption/decryption key to protect our private information

Here are the 4 steps action to secure your online experience, recommended by organizers of World Password Day:


Why the first Thursday of May? Perhaps this day itself is an interesting day, being observed in:
  • 5 May 2016
  • 4 May 2017
  • 3 May 2018
  • 2 May 2019
  • 1 May 2020

For more information, visit to : https://passwordday.org/


Saturday, October 24, 2015

Solved unable to sign in Norton Identity Safe problem

I use Norton Internet Security as the security solution for my home computers, and use the Norton Identity Safe that comes with it to store my web accesses identity information.

Few days ago, when I tried to open my vault in my web browser as usual, I found out that I can't login to Norton Identity Safe.

The symptom is like this:

When I tried to open the vault, I saw this "Get started" pop-up window.


Fine. Click on the "Sign in" button, I was required to provide my email address and password as registered with Symantec to continue.

I keyed in the email address and password, and the window showed it was connecting to the server. The next screen, instead of logged in, it went back to the "Get started" screen again.

I used the same email address and password to login to Norton website, I was able to login without any problem. This means that my email and password combination to login to Norton is correct.


After numerous trial and error, finally I discovered the solution!

Here is the trick: you need to logout from Norton Internet Security before you can successfully login to Norton Identity Safe.

To logout Norton Internet Security, open the application, then click on your email address shown in "Sign in as" corner, and click OK.


After that, go back to the web browser to open the vault.

This time, after entered my email address and password, I finally saw this familiar window:


Key in my vault password, and the vault is opened.

By the way, once successful login to Norton Identity Safe, you will automatically logged in to Norton Internet Security as well, even though you have logout just now.


Friday, August 21, 2015

If your Mozilla Firefox web browser can no longer access certain HTTPS websites, try this fix

Mozilla Firefox version 39 onwards will by default block the HTTPS connections to web servers using weak ephemeral Diffie-Hellman (DH) keys.

Bear in mind that by default, Firefox is set to automatically update itself from time to time, so your version will eventually be updated to version 39 and above.
This is a security measure against the Logjam attack. You can click here to read more about this Logjam attack.
If you visit to an affected website using HTTPS connection with Firefox, you will see the following error message:

Affected websites including the webmail of older version of Zimbra Collaboration Suite. Click here for more detail.
You can fix this by installing the Disable DHE 0.1.2 Add-on by Mozilla to Firefox.

To install, go to Menu > Add-ons in Firefox, and search for "Disable DHE". Once you found the add-on, click the Install button to install it.

Restart Firefox and check if this fix works for you.


If your Mozilla Thunderbird email client can no longer get email from mail server, try this fix

One day, I found that there was no new email coming in to my Mozilla Thunderbird email client for quite a long time, but I could still receive new emails from the same server with my smartphone.

I looked into the Error Console of Thunderbird by going to Tools > Error Console (you can also press the hotkeys Ctrl-Shift-J to go to the same place) and found this error message:


A search in the Internet informed that Mozilla Thunderbird version 38.1.0 and above will block the connections to any mail server using weak ephemeral Diffie-Hellman (DH) keys by default, therefore it can no longer retrieve new emails from the affected server.

Bear in mind that by default, Thunderbird is set to automatically update itself from time to time, so your version will eventually be updated to version 38.1.0 and above.

Blocking the weak Diffie-Hellman key exchange is in fact a security measure against Logjam attack against the TLS protocol. You can click here to read more about this Logjam attack.

Affected email servers including older version of Zimbra Collaboration Suite. Click here for more detail.

While waiting for the mail server administrator to fix the problem at the server side, I applied the Disable DHE 0.1.2 Add-on by Mozilla to my Thunderbird, and it can now continue to receive new emails from the server.

To apply this add-on to your Thunderbird email client, click on the link above to go to its download webpage.

Then, click on the "Download Anyway" link and save the file disable_dhe-0.1.2-fx.xpi in your computer.

After that, go to Tools > Add-ons in Thunderbird, pull down the menu button on the left of "search all add-ons" and select "Install Add-on From File..." to install this disable_dhe-0.1.2-fx.xpi into your Thunderbird.

Restart Thunderbird and check if this fix works for you as well.

Thursday, July 2, 2015

Alert: your password stored in web browsers can easily be retrieved and revealed by WebBrowserPassView

WebBrowserPassView by NirSoft is a Windows freeware password recovery tool that can reveal the websites password information that you have stored in web browsers including Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera.


This means that anybody who has physical or remote access to your computer, or any malicious software that gain access to your computer, can easily retrieve your login name and password stored in the web browsers.

These user names and passwords might include login access information to Google, Yahoo, Facebook, Twitter, forums, and even your Internet banking accounts, as long as you have stored them in your web browser under the AutoComplete or AutoFill feature.

Therefore, it is advisable not to store your password in your web browser. You can store your password in a more secured mechanism such as Norton Identity Safe which provides you the similar autocomplete feature but storing your passwords in a more secured way.

Sunday, June 28, 2015

Recuva - freeware to recover deleted photo / video / music / document / email from SD card / hard disk / USB thumb drive / iPod

If you want to recover or undelete your deleted or lost files (photo, video, music, document, email, etc.), you can try a Windows freeware called Recuva by Piriform.

Recuva works on any rewriteable storage media you have, including internal and external harddisk, SD card, USB thumb drive, and even iPod. It is possible to recover from damaged or formatted disks too.

Beside that, it is also able to try to recover your deleted emails from MS Outlook, Outlook Express, Windows Live Mail, or Mozilla Thunderbird.

It can even try to recover unsaved MS Word document after a MS Word crash.

Using Recuva is pretty easy and straightforward. You just need to specify the location of your lost file...


... and then the file type...


... then Recuva will start to do the searching.

It will then list out the recoverable files for you to choose and restore them in a new storage location of your choice.

Beside the free Recuva, there are also paid version including Recuva Profession and Recuva Business Edition which include advanced features and professional technical support from Piriform.

Saturday, March 28, 2015

BIOS security update for Lenovo Yoga 2 Pro and Yoga 3 Pro laptops

On 27 March 2015, Lenovo has released the latest BIOS update (version 76CN42WW) for Lenovo Yoga 2 Pro ultrabook laptop.

On the same day, Lenovo has also released the latest BIOS update (version A6CN49WW) for Lenovo Yoga 3 Pro ultrabook laptop.

This latest version BIOS for Yoga 2 Pro and Yoga 3 Pro respectively fixed all merged issues from previous, and also fixed the security issues in the Intel UEFI (Unified Extensible Firmware Interface) module.

You can click here to go to the download page of the latest BIOS update utility for Lenovo Yoga 2 Pro, and click here to go to the download page of the latest BIOS update utility for Lenovo Yoga 3 Pro.

The BIOS update is pretty straightforward. Make sure that the battery level of the laptop is at least 80%, and it is plugged on to the AC power supply. Then, run the downloaded BIOS Update Utility.


The new BIOS will be flashed with the InsydeFlash utility from Windows 8.1. After that, the system will reboot itself, and the BIOS update will be performed.
After the BIOS update completed, the laptop will reboot itself again and back to the Windows login screen.

There is no data lost for this BIOS update. Even the BIOS settings and passwords remain after the update.

Saturday, September 27, 2014

Restrict apps network access in Android smartphones with Firewall Plus

Do you want to block the mobile advertisement from appearing in the screen of your standalone (can work locally without network connection) apps or games?

Do you feel suspicious and insecure when you discovered there are network activities from some of the apps installed in your smartphone, even though you didn't open them, or the apps suppose to work locally without the need of connecting to the network?

Would you like to restrict certain apps that consume a lot of network data usage, such as e-Magazines, e-Newspapers, etc., so that they can only use WiFi connection to access the network, and not using your precious mobile data plan?

If you have already rooted your Android device, you can install the free Firewall Plus.


I found this Firewall Plus very straightforward and easy to use, and it has a very small file size of 239kb only.

It will list down all the apps in your Android device, which you can select to allow the apps to have WiFi access, or 3G/4G mobile access, or both, or none, respectively.

It has 2 modes, the Blacklist mode is useful when you want to allow majority of the apps to have full network access, and the Whitelist mode is useful when you want to disallow network access to all the apps by default.

Firewall Plus works on top of the built-in iptables firewall in Android.

If you haven't rooted your Android device, you can also try another app called NoRoot Firewall. NoRoot Firewall leverages on the VPN function of your Android device to perform its firewall function, which I think is less efficient than Firewall Plus.

By the way, if you have installed 3G Watchdog or its Pro version in your Android device to monitor your network usage, it is able to show you the usage by apps very clearly.


Of course, you can also make use of the Data Manager inside the Android Kitkat system to check for network usage by apps.



Hint: Click on the "Older Posts" link to continue reading, or click here for a listing of all my past 3 months articles.