Cybersecurity – Eraser https://eraser.heidi.ie Erase Files from Hard Drives Mon, 08 Jan 2018 14:12:17 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.1 How to Control Web Cookies and Boost Online Privacy https://eraser.heidi.ie/how-to-control-web-cookies-and-boost-online-privacy/ Mon, 18 Dec 2017 11:50:08 +0000 https://eraser.heidi.ie/?p=955 Don’t like being tracked on the web? The right browser settings can help. Read More…

]]>
How to Secure your Home Wi-Fi Network Yourself https://eraser.heidi.ie/how-to-secure-your-home-wi-fi-network-yourself/ Wed, 18 Oct 2017 10:06:35 +0000 https://eraser.heidi.ie/?p=923 Anyone within range of a home WI-FI network can potentially hack into it. If you are a prime target for someone, then they may have even managed to leave a signal booster somewhere. If you spot someone sitting in a car outside with their head bent down, they may not be sleeping. They may be intruding on your life in ways you do want. Would you like to know how to secure your home WI-FI network … if so read on.

How to Secure your Home Wi-Fi Network in 7 Steps

  1. Routers come with a generic name and password, i.e. one per brand and model. Incredibly, these are in the public domain. Sometimes they do not even have that level of protection. We recommend you change your router password to greater strength. If you forgot it, restore the factory settings, and then change them.
  2. Routers have settings determining the level of encryption. You can log on the internet and change the level and the user password. The process is too technical to explain in a short post. Visit this link to learn more about this.
  3. Now disable your guest networks. The risks have become too high to grant trusted friends and colleagues open, password-free access. Your router is a pathway to your own computer once you log on. Think of the fellow in the car across the street.
  4. Each WI-FI model has a service-set-identifier so users can recognize it. This often identifies the WI-FI brand, making it dead easy to guess the generic logons. Change it to something that identifies with your brand. Change it anyway if someone is abusing the privilege you granted.
  5. Wireless-protected set-up allows devices to handshake with your WI-FI by automatically sharing your network name and password. This may be manually possible by pushing buttons on both devices. If you have a dedicated coffee-shop network you could take a chance, provided you stayed off it yourself
  6. Next, upgrade your router’s operating software. Manufacturers upgrade their ‘firmware’ when they learn of security holes. However, upgrades are seldom automatic. Check your router settings at least every 30 days for updates. If you like, you could ask Tomato to replace it with their bespoke code.
  7. It is always a good idea to give your wi-fi hub physical protection when not at home. Turn it off to reduce hacking time. If this does happen, then at least you are there to take action. Position counts too. Place the router in the middle of the space where your users are. This also reduces signal strength to outside.

This completes our suggestions for how to secure your home WI-FI network itself, without calling in technicians and paying money.

How to Avoid Cross-Infection to Your Device

A chain is only as strong as its weakest link. We know that. But, how often do we actively consider the probability of a WI-FI user having an infected device. Make sure your own equipment has multiple security layers, and the latest anti-virus and anti-spyware software.

Smaller devices, smartphones, laptops, and tablets are especially at risk because we connect to so many networks. Their risk of infection is thus higher, and this could spread to your business PC. If you do not want to spend more money on anti-virus protection, best keep them away from your network.

Simple Precautions to Secure your Home Wi-Fi Network

We are tempted to bog down in technology when increasing wi-fi security, and overlook the obvious. An old, legacy router may be a simple device unable to handle these things. Heimdal Security believes most insecure sites are in the business economy, society, personal, and blogging spheres. Shopping, news and media only come after them. Things are not always what we expect, are they? Ideally, we should only link to trusted sources…

 

]]>
Passphrases versus Passwords & Why the Dilemma https://eraser.heidi.ie/passphrases-versus-passwords-why-the-dilemma/ Mon, 02 Oct 2017 12:13:05 +0000 https://eraser.heidi.ie/?p=916 Passwords are under increasing attack by online guessing software. We can counter this to an extent with random-generated ones. As these are hardly memorable, we resort to writing them down or keeping them on the cloud with KeePass, LastPass, etc. Passphrases may be more memorable, but there are risks attached to them too.

Passphrase Security – There Are No Shortcuts

A passphrase is a series of words cobbled together. Hence we would type “sweet molly malone” as sweetmollymalone. But there is a catch to this. The original is a published phrase. And hence in the database of cracking sites such as crackstation.net. ‘sweetmollymalone” would fall victim to an aggressive attack in a matter of seconds.

We are not linguists. The entropy of written English is outside the scope of this post. Passphrases that are less than 50 characters long are generally weak per this Wikipedia article. We can strengthen them further by using a combination of uppercase and numeric.

The passphrase we use, and its components should ideally not appear in any language database, because this makes it vulnerable to a dictionary attack. Since this is impractical, the workaround is making up our own phrase using uncommon words, and definitely not common joiner words like because, but, and, if, the, and so on.

Using acronyms can help us remember, as they may have when we crammed for exams. For example, “corker” could help us remember:

crackerjackoblidahrepublicankangarooenvelopesrenaissance

But we would still have the problem of typing this correctly, including on a smartphone on a commuter train or a bus.

Comparing Our Passphrase Dilemma with Password Options

Brute force password hacking makes them increasingly unsafe on standalone devices like mobiles and desktops. It helps a little if we copy and paste them because we do not leave a shadow of keystrokes. Of course, we should always use a protected browser before we go near banking / financial sites.

A strong password should be at least twenty, and ideally thirty characters or more. It should not cobble together dictionary words, famous names, and famous places. There should be a mix of upper, and lower cases, and characters. Like the ones we download from password-generator sites, this makes them nigh impossible to remember, and that is the rub. We have gone around in a circle and returned to copying and pasting from a secured environment.

Did a Password Management Service Just Ping?

It definitely did, although that is not necessarily a warranty, a password service is utterly reliable. Sites like KeePass and LastPass can afford a higher degree of encryption than we will ever dream of on our own devices. But, as we have mentioned so many times before on other posts, they are only as good as the people that program and support them.

  • Lastpass keeps encrypted user names and passwords in client accounts. It has various levels of permissions. At the lowest, it automatically inserts these on log-in pages associated with them. There have been a number of security lapses.
  • KeePass stores user names, passwords, and other data in encrypted files. It types the information into dialogues, web forms etc. when the user presses a hot key. By its own admission, Keepass is open to attacks too.

Neither of the sites we chose for illustration is totally bulletproof. The risk from hacking is higher if we use the same passphrases (or passwords) for multiple pages. They are, however, arguably more secure than standalone operating systems. We close with a reminder of the criteria for stronger passphrases.

  • Not a famous quotation from scripture, famous literature etc
  • Easy enough to remember and type in character-perfectly
  • Sufficiently long to be hard to guess, even randomly
  • Nothing even a close friend might be able to intuitively guess
  • Not famous movie names, sports teams and cultural references

We very much doubt that is the last word on passwords and passphrases. We will post advisories here if there are sudden changes.

]]>
Do Solid State Drives SSD’s Really Destroy Data https://eraser.heidi.ie/do-solid-state-drives-ssds-really-destroy-data/ Wed, 13 Sep 2017 17:35:13 +0000 https://eraser.heidi.ie/?p=909 External hard disc drives (HHD’s) and solid state drives (SSD’s) are both useful places to store large amounts of data, or to back up files. They are compatible with computing devices, and being portable we can ‘carry our business in a briefcase’ everywhere we go. They may also fall into malicious hands if we are not careful. The similarity ends there because the hardware inside them is different.External hard disc drives (HHD’s) and solid state drives (SSD’s) are both useful places to store large amounts of data, or to back up files. They are compatible with computing devices, and being portable we can ‘carry our business in a briefcase’ everywhere we go. They may also fall into malicious hands if we are not careful. The similarity ends there because the hardware inside them is different.

How the Hardware inside SSD’s Differs

HHD’s have a spinning disc inside them, and an actuator read-write arm to transfer the data. SSD’s, on the other hand, are disc drives with arrays of semiconductor memory using integrated circuits. To understand how this memory functions, we have to understand computer architecture, and more specifically computer memory.

A Very Brief Overview of Computer Memory

We acknowledge contributions from MUD before we continue. We find them a great place to look when we need to clear the muddy waters of technology beyond our normal lens. Computer architecture contains three levels:

1. The uppermost cache, where the machine does its active work like calculations and procedures. Engineers keep the electrical pathways short so access to data is virtually immediate.

2. The middle memory ground we call random access memory, or RAM for short. Computers use this to store active processes and programs so they can get to these fast. Access is a nano second slower.

3. The actual hard disc: This functions as a ‘permanent’ library of programs, documents, audio files and so on. When we decide to access these, it takes a little longer to transfer them from disc to memory.

SSD technology does these downloads faster than hard drives by as much as a factor of ten. Again, we have to delve into technology to understand how this happens.

How Solid State Drives Process Data and Delete It

An SSD’s flash memory does not clear when it shuts down, unlike a HHD. Instead, it stores the information permanently in a grid of high-speed electric cells. These cells are arranged in sections called pages. These pages are in turn bunched in blocks.

Solid state drives can only write data to empty pages in a block. This contrasts sharply with hard disk drives that can write data to any available location. Thus, if we want to write a new version of a document to an SSD, it creates an entirely new version on another page. This begs the question, what happens if we want to get rid of the old file.

What Deleting Files on a Solid Data Drive Achieves

Again, we have to thank the engineers at MUD for simplifying things for us. When we delete a file on a hard drive disc, the master file index simply tags it as belonging in the recycle bin, not the folder. The actual data remains intact until we overwrite that spot on the drive. Since the storage space is random, this can take a while.

The waters are muddier when it comes to deleting files on SSD’s. They are forever rearranging files to optimize storage. The information may eventually be overwritten, but again it may not. Read how a bunch of engineers from University of California only achieved 25% to 96% success when they tried to delete records. Hence a shadow of the information always remained on the SSD.

The Only Way to Delete Data from SSD’s with Certainty 

You already know the answer. The only definite, absolute, and fool proof way to destroy data on an SSD (or an HDD) is to reformat the device. You could even go one stage further, and squash it with a steamroller, as writer Terry Pratchett’s pal did to his unfinished manuscripts in accordance with his last will and testament. We are happy the vintage steam-driven beast made in 1923 survived intact. The data apparently did not.

]]>
Can we trust where Smartphone Manufacturers source their Components? https://eraser.heidi.ie/can-we-trust-where-smartphone-manufacturers-source-their-components/ Tue, 05 Sep 2017 09:12:41 +0000 https://eraser.heidi.ie/?p=906 The Woot 17 Conference had some interesting topics on its agenda from 16 to 18 August 2017. It released its workshop papers on a free, open source basis because it wants a wider public to benefit from research. Today, we focus on a report titled ‘Shattered Trust: When Replacement Smartphone Components Attack’ by researchers from Ben Gurion University.

They question whether we are right to trust non-franchise repairers with our phones just because they may be cheaper. They are concerned that smartphone manufacturers buy in some components from third parties. These could include near field communication readers, wireless controlling chargers and orientation sensors. Hence, they are not in control of cowboy phone repairers that source them directly from component manufacturers.

How a Cowboy Phone Repairer Could Hack Your Phone
We wish we were there ourselves and could report directly. Hence, we are grateful for input from Ars Technica we acknowledge freely. The researchers simulated two standalone attacks using malicious touchscreen hardware, with secret chips that compromised a stock Android phone.

Their two ‘victims’ were a Huawei Nexus 6P, and a LG G Pad 7.0. In both instances, they replaced the screens with ones they had tampered with. Then they were able to log keyboard patterns and inputs covertly, upload malware apps, and even take pictures and email them back to them. This suggests a targeted phone user’s privacy could literally go out the window.

Worse still, the malicious parts ‘booby trapping the screens cost less than $10 and bypassed the phones’ on-board security features. Moreover, the devices – which were potentially open to mass-manufacture – were ‘indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness.’ Only a skilled technician might be able to detect them if they took the device apart.

The Research Serves to Highlight a Security Disparity
The researchers confirm the original phone manufacturers ‘closely guard’ the iOS and Android operating systems, and that they remain within a ‘trust boundary’ until they leave the works in a sealed box. It is also safe to assume the hardware is similarly reliable, provided the manufacturers maintain their quality systems intact.

The disparity takes over as soon as a third party services their product outside the trust boundary, because this not under their sphere of control. The researchers conclude, “The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly. As this paper shows, attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques.

“A well-motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defences accordingly.

The ‘Chip-in-the-Middle’ Basis Behind The Successful Attacks
The Ben Gurion University researchers embedded a chip in a normal, standard touchscreen. This affected the communication bus responsible for transferring data from the device hardware to the software drivers in the operating system. The malicious integrated circuit placed between the two dimensions was able to modify, monitor, or interfere with their communications.

This chip-in-the-middle contained code able to covertly complete actions not initiated by the phone user. It could, for example unlock patterns and keyboard inputs, take photos and relay them, substitute phishing urls, and remotely install apps without the phone owner knowing this happened.

A hot air blower was all the researchers needed to separate the touchscreen controllers so they could connect the chips. They suggest a variety of countermeasures they think phone manufacturers should take. They also think the industry needs a certification program for aftermarket parts. We had no idea how wide open we were until we uncovered the research.

]]>
Is your Car Hacking Into Your Phone? https://eraser.heidi.ie/900-2/ Tue, 29 Aug 2017 08:37:23 +0000 https://eraser.heidi.ie/?p=900 Smartphone Privacy & Security: Is Your Car Hacking Into Your Phone
Something slipped quietly into news feeds in the midst of the hype about China’s smartphones being porous, and India demanding data security assurances from her Asian neighbour. This quiet clip appeared in an article on an Orlando news site titled ‘Car tech privacy: Your car’s infotainment system might be grabbing data from your phone’. We decided this needed a closer look.

Cars Increasingly Have Minds of Their Own Computers
The snowballing number of computers in cars is another surprise encircling us in the Internet of Things. There are dozens of them adjusting the fuel and air that enters engines, triggering airbags, tensioning seatbelts, preventing brakes locking, and even allowing us to open the door, sit behind the wheel, and operate a computer-controlled key.

If Google has its way, our cars could soon be driving hands free. Someday we may even send the car solo to collect our internet shopping – what a pleasure that would be!

And Their Car Stereos Do More than Simply Play Music
In 2013, the United States Cyber Security Division wanted to know more about what was happening in cars. This makes sense given the worrisome attacks by car drivers nowadays in mainland Europe. Early experiments focused on planting physical surveillance devices with cellular communication capability.
Then they went one stage further, potentially affecting the privacy of the very citizens they were hoping to protect, by hacking into a car’s digital memory.

The U.S. Cyber Security Division’s project piggybacked onto a motor accident reconstruction system able to interrogate a car’s infotainment and telematics. This enabled them to geo-locate a vehicle at a particular split-second in past time, and calculate its speed and trajectory on impact. The company concerned was Berla, based in Maryland.

It does not take a leap of science to realise this information could travel live over a cellular connection. In 2016, Berla released this video detailing the seventy different computing devices it knew of in the average car.
Berla believes the most sophisticated cars may have up to one hundred different computers managing their advanced systems. Most vehicles have up to five networks joining these up. Together, this represents enough data to fill a one-terabyte drive in forty hours. More than a few of these devices report metrics to manufacturers over cellular space.

They Have Stereos Able to Hack Our Smartphones
Hands-free mobile while driving links our smartphone into this network of car computing devices. Entertainment systems now have Bluetooth and USB connections. Soon wireless near field communication will do away with wires as smoothly as Apple Android describes here. NFC can connect with passive devices and power them with an electromagnetic field.

Prepare to be worried about your car entertainment knowing more about what’s on your phone than you know about yourself. This could include call history, contacts, login codes and more travelling via USB or Bluetooth to the infotainment computer.

This Technology Is Not New, It Is Proven to Work
On 15 January 2017 Forbes staff writer Thomas Fox-Brewster posted ‘Car Tapping: How Feds Have Spied on Connected Cars for 15 Years.’ We should take him seriously. Thomas has freelanced for The Guardian, Vice Motherboard, Wired, and BBC.com since 2010, among many others. He was named BT Security Journalist of the year in 2012 and 2013 for a range of exclusive articles.

In 2014, he landed Best News Story for a feature on US government harassment of security professionals. We will draw the threads together with this quote from his article:

“It was little surprise to find General Motors had repeatedly worked with cops to hand over not just location, but also audio where conversations were recorded when the in-car cellular connection was switched on”.
There is no regulatory standard over this we know of, and as far as we are aware no way to turn the snooping off without interfering with the digital that manages our cars and keeps them safe. The message is clear. We are no longer private when we use our smartphones in our cars, in the hope of nobody eavesdropping on what we say.

]]>
Know Your Consumer Rights under the European Union GDPR https://eraser.heidi.ie/know-your-consumer-rights-under-the-european-union-gdpr/ Tue, 08 Aug 2017 14:58:04 +0000 https://eraser.heidi.ie/?p=890 European Union Regulations apply to all member states. We have to implement them in Ireland, and the regulations override any existing laws on the topic we may already have. The EU General Data Protection Act (GDPR) is no exception. Thus, it will be great news for consumers when it comes into force on 25 May 2018.

What the General Data Protection Act Aims to Protect

The GDPR affirms a very important principle for consumers. It says we are the owners of our personal information, and it is private to us until we choose to selectively share. Any government agency (outside of law enforcement) and all businesses must first ask our permission before they add it to their database. Moreover, we have the right to inspect it, correct it, and even remove it completely.
The responsibility to implement the GDPR in Ireland falls in the remit of the Data Protection Commissioner. They are making the process as transparent as possible, and have very sharp teeth to make sure businesses listen. We believe these consumer rights back-fit to any time in the past. Thus, you should also be able to interrogate your personal information captured before the GDPR inception date of 25 May 2018.

Why the European Union Decided We Need a GDPR

The European Union was increasingly concerned about breaches of consumer rights concerning handling of their personal information. Google, and the social media especially Facebook having been tracking our movements so they can influence our thinking. Every time you find a commercial message popping up during a Google search, or on your Facebook timeline about a product you are interested in, this is proof that this is happening.

Clear evidence is emerging that people from certain countries influenced the outcome of the U.S. President Election, and probably the UK Brexit, by targeting like-minded people with fake news that influenced their thinking. We believe the GDPR is an appropriate mechanism for controlling this centrally, and thus a step in the right direction.
Business has been up to something equally upsetting probably for longer. While it is quite okay for our supplier to use our purchasing history to suggest a related product, it is totally out of turn if it shares this with a third party. This is behind some of the unsolicited phone calls and emails that still occasionally pester us. Since the EU General Data Protection Act crosses Union boundaries, we will soon the able to help prevent cross-border violations too.

Our Rights as Consumers under the GDPR in More Detail

We will have a right to insist that banks, insurance companies, government bodies, medical professionals, telephone companies, and other service providers keep our personal details private, and in secure storage. They will also have a duty to tell us before they capture the information, and explain what they plan to do with it.

This is not something brand new. It has been good governance practice in larger organisations for some time. However, the weak link is often in the follow-through, for example, how they prevent a third party from hacking, and stealing what is rightfully ours. Some smaller companies have not seen customer data protection as a priority until now.

The GDPR regulates personal information on a computer, in a manual paper filing system, or in the form of video / voice recordings or photographs. From 25 May 2018, we will have a perfect right to check this personal information is correct, to know who has access to it, and to insist it is only used for purposes we agreed when providing it.

The Data Protection Commissioner will rule the event of a dispute once they decide who is right. They may also penalise the organisation holding the information if they were wilfully negligent. Here are their contact details you may like to keep on file:

Physical Address: Canal House, Station Road, Portarlington, Co. Laois
LoCall: 1890 252 231 / Tel: 057 868 4800 / Fax: 057 868 4757
Email: info@dataprotection.ie / Website: www.dataprotection.ie

]]>
Why You Need a Virtual Private Network for Home and Business https://eraser.heidi.ie/why-you-need-a-virtual-private-network-for-home-and-business/ Mon, 12 Jun 2017 08:48:13 +0000 https://eraser.heidi.ie/?p=823 Every time we use the internet for communication or research, we potentially leave ourselves open to abuse, interference, and surveillance. Normally, if we use anti-virus software we should be okay, but there are exceptions. Places where we could benefit from VPN networks are wi-fi and employer networks. The reasons being these provide opportunities for malicious co-users to see what we are doing.

What are VPN’s, And What do VPN’s Do?
Virtual private networks are functionally similar to hard-wired networks, except they are on a cloud. They could create a secure funnel between your computer and the sites you visit, thereby blocking intermediary hacking. Perhaps we should say ‘mostly blocking’. National security departments are generally ahead of the game, and so it seems is WikiLeaks.

Virtual Private Networks for Businesses
Any business with people at remote sites should definitely benefit from a VPN service. This is especially true of managers and staff who travel a lot, and use hotel, restaurant, and airport wi-fi to exchange ideas. If they also access business data centres this should become an imperative.
Virtual private networks are user friendly. When we connect to our chosen one, they launch a credential login screen so we can exchange key information. After our and the VPN computer have verified each other’s authenticity, the privacy tunnel is complete, and ready to repel boarders. Once you become accustomed to the service you may wonder why you took so long to come on board yourself.

VPN Services for Personal Users
Virtual private networks come in handy in all kinds of ways. By choosing one in the right geolocation we can bypass government censors, and checkpoints preventing us from streaming music and watching videos outside our own country. For example, the ‘secret tunnel’ can evade a copyright prescription that a publication is only available to residents of a particular country. This is because most websites believe you are browsing at the VPN server’s location.

How Private Internet Users Benefit
• Frequent travellers and students on gap years can watch their favourite sports channels live, instead of relying on local news sites that report retrospectively
• Surfers downloading legal, risqué, and embargoed content can prevent Google from analysing their interests and selling them to paid advertisers
• Internet clients who just don’t like the idea of people snooping on them (including their own ISP) can gain a level of confidentiality becoming rare

The Two Most Important things to Know about VPN’s
In theory, and in truth most of the time, a good virtual private network secures your internet connection, so it is as good as if it were hard wired. However, and this is important, there are ways to crack VPN security especially by governments. The bigger corporate entertainment providers like Netflix are also in the loop, so they could be watching you too.

A Handy Checklist When Choosing a Quality VPN Provider
Shop around to get a feel for what VPN services provide. Then shortlist the ones that appeal to you most. Compare them in terms of standard and upselling features, where their servers are, what protocols they use to connect, and how much they cost. Next, understand the niche they aim to serve. For example, are they targeting:
• Bulk data loaders who just want a little privacy while they do
• Occasional surfers who want the assurance of protection
• Users wanting to bypass geo-restrictions on services and apps
There is always give-and-take between quality and price when shopping. Prepare to be flexible while keeping your eyes open. There are good, bad, and indifferent virtual network providers. Google for reviews on trusted sources, and ask your social media friends for advice.

To learn more about VPN’s go to: https://www.bestvpn.com

]]>
Are VPNs Safe? https://eraser.heidi.ie/are-vpns-safe/ Wed, 31 May 2017 12:57:38 +0000 https://eraser.heidi.ie/?p=820 READ MORE…

]]>
Anger as US internet privacy law scrapped https://eraser.heidi.ie/812-2/ Thu, 27 Apr 2017 09:32:47 +0000 https://eraser.heidi.ie/?p=812 READ MORE…

]]>