iBoss blog: The Dark Side of SSL Certificates

The world of SSL certificates is changing, as the certs become easier to obtain and more frequently used. In general, having a secure HTTP-based website is a good thing: the secure part of the protocol means it is more difficult to eavesdrop on any conversation between your browser and the web server. Despite their popularity, there is a dark side to them as well. Let’s take a closer look at my iBoss blog post this week.

Read More
The scourge of patent trolls

One of the tech industry’s dirty secrets is enabling an entire class of bottom-feeders called the patent troll. These are lawyers that exist solely to sue other

 firms and bleed them dry from the threat of patent infringement. A new documentary is out by Austin Meyer (shown here), who suffered from one troll purely because he uploaded his app to the Google Play store. The troll claimed his patent covered such activity, which is just utter nonsense. As shown in Meyer’s movie, almost all defendants settle patent cases to avoid the costs of discovery and a protracted legal battle. There are several thousand troll-based lawsuits filed annually, and the number is increasing.

Sadly, what these trolls do is also perfectly legal. But what gets my goat is that the trolls don’t actually make anything: it isn’t like they have a competitive product line that they are trying to protect with their lawsuit. They are really just racketeers, extortion con men. Many of these firms, like Virnetx and Uniloc, are companies that you never heard of, and are getting rich from these troll payouts.

For example, several years ago Virnetx beat Apple and now gets $300M a year in royalties because Facetime was claimed to infringe on secure network communications patents it held. That took years to work its way through the courts in eastern Texas.

Wait a minute. Why Texas? Isn’t Apple’s HQ in California? Yes, but until recently, trolls could file wherever they pleased. Many of the patent cases are tried in eastern Texas, because the area’s court system is especially friendly to trolls. For example, in the small town of Marshall, Judge Rodney Gilstrap oversaw more than a quarter of the country’s patent cases in 2015, reports the Electronic Frontier Foundation. Marshall figures prominently in Meyer’s movie, where he takes us literally on a tour of the empty offices across the street from the county courthouse where these patent cases are tried. All these offices are quite representative of these shell companies that are the trolls.

One delightful tidbit that he missed was that hotels in Marshall are so commonly frequented by lawyers that one even purchased a subscription to the electronic court-records system Pacer. You have in-room Wi-Fi, now there is in-room legal records search. How convenient. Earlier in May this year the US Supreme Court unanimously ruled that a defendant should only face patent litigation in the state where it’s incorporated, which for many tech businesses are either in California or Delaware. Meyer tells me that that hasn’t really stemmed the tide in Marshall, so probably that hotel will keep their in-room Pacer subscription.

Not all trolls succeed. In one case, Uniloc was defeated when a group of gaming companies showed the flaws in their argument in a case that was decided by an internal review by the US Patent office earlier this year. Uniloc is one of the more notorious trolls, but this is a minor setback: they have a huge collection of judgements from other cases. Uniloc was who sued Meyer, btw.

One of the issues mentioned in Meyer’s movie is how once the trolls identify a potential victim (not too small and not too large, so that the firm will be motivated to payout rather than fight), they are often hit repeatedly by other trolls. The typical lawsuit will cost several million dollars. Another issue: trolls sue people that use the patented idea, no matter how ridiculous the patent may be.  

Patent trolls isn’t a new topic, indeed there is another documentary by Lex Lybrand called The Trolls that came out last year that documents his experience, when his crowdfunded company was hit by a troll. And John Oliver did one of his HBO Last Week Tonight shows on patents a few years ago. (He illustrates his points with several great Shark Tank snippets.)  Meyer is also featured on Oliver’s segment.

Meyer has several suggestions for improving the patent process, and many of them have little hope of happening, thanks to trial lawyer lobbies and other market forces. But if you want to see how broken our patent system is, the movie is well worth your time.

Meyer’s movie, The Patent Scam, is now available for a fee to download and soon will be on Netflix and other streaming services.

Read More
Learning from a great public speaker, Reuben Paul

I got a chance to witness a top-rated speaker ply his trade at a conference that I attended this week here in St. Louis. The conference was a gathering of several hundred people who work in IT for our intelligence agencies, called DoDIIS. When I signed up for press credentials, I didn’t know he was going to be speaking, but glad that I could see him in action. As someone who speaks professionally at similar groups, I like to learn from the best, and he was certainly in that category.

The odd thing about this person is that he is still a kid, an 11-year-old to be exact. His name is Reuben Paul and he lives in Austin. Reuben already has spoken at numerous infosec conferences around the world, and he “owned the room,” as one of the generals who runs one of the security services mentioned in a subsequent speech. What made Reuben (I can’t quite bring myself to use his last name as common style dictates, sorry) so potent a speaker is that he was funny and self-depreciating as well as informative. He was both entertaining as well as instructive. He did his signature story, as we in the speaking biz like to call it, a routine where he hacks into a plush toy teddy bear (shown here sitting next to him on the couch along with Janice Glover-Jones, who is the CIO for the Defense Intelligence Agency) using a Raspberry Pi connected to his Mac.

The bear makes use of a Bluetooth connection to the Internet, along with a microphone to pick up ambient sound. In a matter of minutes, Reuben was showing the audience how he was able to record a snippet of audio and play it back on the bear’s speaker, using some common network discovery tools and Python commands. Yes, the kid knows Python: something that impressed several of the parade of military generals who spoke afterwards. These generals semi-seriously were vying to get the kid to work for their intelligence service agencies once he was no longer subject to child labor restrictions.

The kid is also current with the security issues of the Internet of Things, and can show you how an innocent toy can become the leverage point for hackers to enter your home and take control without your knowledge. This has become very topical, given the recent attacks using WannaCry, Petya and others that target these connected objects.

Reuben also managed to shame the IT professionals attending the conference. As the video monitors on stage were showing him scrolling down the list of network addresses from phones that were broadcasting their Bluetooth signals, he told us, “if you see your phone listed here, you might remember next time to turn off your Bluetooth for your own protection.” That got a laugh from the audience. Yes, this kid was shaming us and no one got upset! We were in the presence of a truly gifted speaker. I had made a similar point in my speech just a couple of weeks ago about Bluetooth vulnerability, and much less adroitly.

Reuben isn’t just a one-trick pony (or bear), either. The kid has set up several businesses already, which is impressive enough even without considering his public speaking prowess. One of them is this one that helps teach kids basic cybersecurity concepts. Clearly, he knows his audience, which is another tenet of a good speaker. If you ever get a chance to see him in person, do make the effort.

Read More
iBoss blog: What Is the CVE and Why It Is Important

The Common Vulnerabilities and Exposures (CVE) program was launched in 1999 by MITRE to identify and catalog vulnerabilities in software or firmware and create a free lexicon to help organizations improve their security. Since its creation, the program has been very successful and is now used to link together different vulnerabilities and to facilitate the comparison of security tools and services. You now see evidence of its work by the unique CVE number that accompanies a malware announcement by a security researcher.

In my latest blog post for iBoss, I look at how the CVE got started and where it used and the importance it plays in sharing threat information.

Read More
When anonymous web data isn’t anymore

One of my favorite NY Times technology stories (other than, ahem, my own articles) is one that ran more than ten years ago. It was about a supposedly anonymous AOL user that was picked from a huge database of search queries by researchers. They were able to correlate her searches and tracked down Thelma, a 62-year old widow living in Georgia. The database was originally posted online by AOL as an academic research tool, but after the Times story broke it was removed. The data “underscore how much people unintentionally reveal about themselves when they use search engines,” said the Times story.

In the intervening years since that story, tracking technology has gotten better and Internet privacy has all but effectively disappeared. At the DEFCON trade show a few weeks ago in Vegas, researchers presented a paper on how easy it can be to track down folks based on their digital breadcrumbs. The researchers set up a phony marketing consulting firm and requested anonymous clickstream data to analyze. They were able to actually tie real users to the data through a series of well-known tricks, described in this report in Naked Security. They found that if they could correlate personal information across ten different domains, they could figure out who was the common user visiting those sites, as shown in this diagram published in the article.

The culprits are browser plug-ins and embedded scripts on web pages, which I have written about before here. “Five percent of the data in the clickstream they purchased was generated up by just ten different popular web plugins,” according to the DEFCON researchers.

So is this just some artifact of gung-ho security researchers, or does this have any real-world implications? Sadly, it is very much a reality. Last week Disney was served legal papers about secretly collecting kid’s usage data of their mobile apps, saying that the apps (which don’t ask parents permission for the kids to use, which is illegal) can track the kids across multiple games. All in the interest of serving up targeted ads. The full list of 43 apps that have this tracking data can be found here, including the one shown at right.

So what can you do? First, review your plug-ins, delete the ones that you really don’t need. In my article linked above, I try out Privacy Badger and have continued to use it. It can be entertaining or terrifying, depending on your POV. You could regularly delete your cookies and always run private browsing sessions, although you do give up some usability for doing so.

Privacy just isn’t what it used to be. And it is a lot of hard work to become more private these days, for sure.

Read More
FIR B2B Podcast #78: TALKING GOOD AND BAD UX WITH DANIELLE COOLEY

Danielle Cooley has spent more than 18 years applying a number of user experience (UX) research and design techniques to a wide variety of applications, including hardware, Windows, web, telephone and mobile. Her work has benefited such organizations as Pfizer, Navy Federal Credit Union, Fidelity Investments, Hyundai, Graco, Enterprise Rent-a-Car and more. She is a frequent conference speaker at professional UX gatherings and holds several technical degrees.

Paul Gillin and I talked to her on our latest podcast about rookie UX mistakes, such as popup come-ons and autoloading videos, the difference between UX and user interfaces, and how marketers should consider the UX maturity model of their organizations when developing their programs.

Danielle also ranted a bit about the “hamburger menu” of three parallel lines that are often shown in many mobile apps (including my latest website redesign, oops!) and how they have become a cover-up for bad navigation. Here’s a presentation on what to do instead.

Danielle and I wrote this article for a UX journal where we use the example of four data breaches (Cici’s Pizza, Home Depot, Wendy’s Restaurants, and Omni Hotels) to see how each firm tried to regain its customers’ trust.

Read More
Is iOS more secure than Android?

I was giving a speech last week, talking about mobile device security, and one member of my audience asked me this question. I gave the typical IT answer, “it depends,” and then realized I needed a little bit more of an explanation. Hence this post.

Yes, in general, Android is less secure than All The iThings, but there are circumstances where Apple has its issues too. A recent article in ITworld lays out the specifics. There are six major points to evaluate:

  1. How old is your device’s OS? The problem with both worlds is when their owners stick with older OS versions and don’t upgrade. As vulnerabilities are discovered, Google and Apple come out with updates and patches — the trick is in actually installing them. Let’s look at the behavior of users between the two worlds: The most up-to-date Android version, Nougat, has less than 1% market share. On the other hand, more than 90% of iOS users have moved to iOS v10. Now, maybe in your household or corporation you have different profiles. But as long as you use the most recent OS and keep it updated, right now both are pretty solid.
  2. Who are the hackers targeting for their malware? Security researchers have seen a notable increase in malware targeting all mobile devices lately (see the timeline above), but it seems there are more Android-based exploits. It is hard to really say, because there isn’t any consistent way to count. And a new effort into targeting CEO “whale” phishing attacks or specific companies for infection isn’t really helping: if a criminal is trying to worm their way into your company, all the statistics and trends in the universe don’t really matter. I’ve seen reports of infections that “only” resulted in a few dozen devices being compromised, yet because they were all from one enterprise, the business impact was huge.
  3. Where do the infected apps come from? Historically, Google Play certainly has seen more infected apps than the iTunes Store. Some of these Android apps (such as Judy and FalseGuide) have infected millions of devices. Apple has had its share of troubled apps, but typically they are more quickly discovered and removed from circulation.
  4. Doesn’t Apple do a better job of screening their apps? That used to be the case, but isn’t any longer and the two companies are at parity now. Google has the Protect service that automatically scans your device to detect malware, for example. Still, all it takes is one bad app and your network security is toast.
  5. Who else uses your phone? If you share your phone with your kids and they download their own apps, well, you know where I am going here. The best strategy is not to let your kids download anything to your corporate devices. Or even your personal ones.
  6. What about my MDM, should’t that protect me from malicious apps? Well, having a corporate mobile device management solution is better than not having one. These kinds of tools can implement app whitelisting and segregating work and personal apps and data. But an MDM won’t handle all security issues, such as preventing someone from using your phone to escalate privileges, detecting data exfiltrations and running a botnet from inside your corporate network. Again, a single phished email and your phone can become compromised.

Is Android or iOS inherently more secure? As you can see, it really depends. Yes, you can construct corner cases where one or the other poses more of a threat. Just remember, security is a journey, not a destination.

Read More
FIR B2B PODCAST #77: IMAGINING THE FUTURE OF CUSTOMER EXPERIENCE AROUND ‘MICRO MOMENTS’

Paul Gillin and I talk to Dermot O’Connor who is the VP of product and co-founder of Boxever, a marketing big data automation company. We discuss the changing nature of customer experience (CX) and how the rise of the online world of Google, Amazon and Facebook have changed customer expectations about their interactions with suppliers. Big data is essential to improvement for marketers. We also cover the differences between these two approaches and how difficult it is to incorporate the technology solutions that are required to implement the best CX, and how marketing departments need to get a handle on what data they have about their customers too.

Dermot offers his suggestions for how to create “Micro Moments” along the journey, a concept introduced in this Google blog. That’s about making each touch point with customers a part of crafting the best experience. O’Connor thinks the next phase of CX will center around micro-design and suggests ways in which himbrands can bring micro moments to life.

You can listen to our 12 min. podcast here:

Read More
Do real people want real encryption?

The short answer is a resounding Yes! Let’s discuss this topic which has spanned generations.

The current case in point has to do with terrorists using WhatsApp. For those of you that don’t use it, it is a text messaging app that also enables voice and video conversations. I started using it when I first went to Israel, because my daughter and most of the folks that I met there professionally were using it constantly. It has become a verb, like Uber and Google are for getting a ride and searching for stuff. Everything is encrypted end-to-end.

This is why the bad guys also use it. In a story that my colleague Lisa Vaas posted here in Naked Security, she quotes the UK Home Secretary Amber Rudd about some remarks she recently made. For those of you that aren’t familiar with UK government, this office covers a wide collection of duties, mixing what Americans would find in our Homeland Security and Justice Departments. She said, “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” She was trying to make a plea for tech companies to loosen up their encryption, just a little bit mind you, because of the inability for her government to see what the terrorists are doing. “However, there is a problem in terms of the growth of end-to-end encryption” because police and security services aren’t “able to access that information.” Her idea is to serve warrants on the tech companies and get at least metadata about the encrypted conversations.

This sounds familiar: after the Paris Charlie Hebdo attacks two years ago. The last person in her job, David Cameron, issued similar calls to break into encrypted conversations. They went nowhere.

Here is the problem. You can’t have just a little bit of encryption, just like you can’t be a little bit pregnant. Either a message (or an email or whatever) is encrypted, or it isn’t. If you want to selectively break encryption, you can’t guarantee that the bad guys can’t go down this route too. And if vendors have access to passwords (as some have suggested), that is a breach “waiting to happen,” as Vaas says in her post. “Weakening security won’t bring that about, however, and has the potential to make matters worse.”

In Vaas’ post, she mentions security expert Troy Hunt’s tweet (reproduced here) showing links to all the online services that (surprise!) she uses that operate with encryption like Wikipedia, Twitter and her own website. Jonathan Haynes, writing in the Guardian, says “A lot of things may have changed in two years but the government’s understanding of information security does not appear to be one of them.”

It isn’t that normal citizens or real people or whatever you want to call non-terrorists have nothing to hide.They do have their privacy, and if we don’t have encryption, then everything is out in the open for anyone to abuse, lose, or spread around the digital landscape.

Read More
Why You Need to Deploy IPv6: It Is All about Performance and Security

You have heard the arguments for using IPv6 for decades, but here is a novel reason: it is all about getting better network performance. A recent study from Cloudflare’s network operations shows that an IPv6 network can operate 25ms to 300ms faster than over an IPv4 network. That isn’t theory: that is what they actually observed. These numbers are corroborated with studies from LinkedIn and Facebook, although Sucuri did a test last year that shows about the same in terms of web surfing.

Part of the debate here has to do with what constitutes performance. But an all-IPv6 network can also boost your security, if it is implemented correctly and carefully. In my latest post for iBoss’ blog, I tell you why.

Read More
1 2 3 193