Mobile and Secure.Com

For a while it seemed like everyone was cashing in on the USB craze, where every hardware and software application that you could dream up was available in USB format. All you would have to do is build a bare bones PC with lots and lots of USB ports and you could add everything you could possibly want.

From a security point of view it’s always useful to have a firewall, especially a hardware firewall. And now you can own your very own hardware firewall in the palm of your hand.

I discovered over the Christmas period that a few people I know who don’t have landlines (bad credit history, non-payment of bills, etc) have found a way of getting themselves on-line from the comfort of their own home wirelessly, using HSDPA.

They are using wireless modems supplied by Vodafone UK containing 3G SIM cards, and connected to their desktop or laptop PCs via a USB cable (supports 1.1 and 2.0). The thing is, the two units that I got to test out were not using any security software, just whatever came with the PC.

It is being predicted that in five years the rest of us will also be moving away from the traditional hardwired broadband model as well to a more ‘wireless broadband’ internet. This will suit Yahoo who are already developing applications to cater for this move.

Have you ever wondered why when you click on some web page links, you ended up at a different web page from the one you were expecting? Even when you hovered over the link to confirm the address in your browser’s status bar, before clicking? No it’s not a browser hijacker, you’ve just followed a blind link.

Blind links are written by the site’s webmaster as a way to increase revenue or click-through ratings. The web page code is using embedded JavaScript to show you one URL, while sending you somewhere different with each click (it is possible to get to the URL you want, but it may take quite a few tries).

This is a well used tactic of sites trying to make money from visitor traffic by directing visitors to sites they (probably) don’t want to visit (such as those serving adult content), but whose owners will pay the re-director a fee for the traffic.

Any sites I encounter using this technique are added to my hardware firewall’s block list.

I had one of those governmental social researchers come around to ask questions about my opinions on crime in the area, how well I perceive it as being tackled, etc etc. I was also asked a series of questions on whether I use computers, if I purchase items online, and if I’m worried about fraud and unsure about the techniques I could use to reduce the risk. Hmm.. I told her what I do for a living.

At the end of her research questions, she put away her laptop and got out her notepad and pen. “Do you mind if I ask you a few questions about computer security?� Apparently she had just signed up to broadband and had a wireless router sent to her by her ISP. Only the other day, she had heard something about wireless networks not being so secure, could I tell her more?

I’ve been wondering about the difference between 2G and 3G mobile phone networks recently, so I started to do a little research. It got a little confusing at first, especially if you add 2.5G, 2.75G, and 4G to the mix.

Anyway, here are my notes. Feel free to comment on them and correct me. They are based on mobile phone networks in Europe.

1G

First generation mobile phone technology using analogue radio signals routed over a circuit switched network.

2G

Second generation mobile phone technology using digital radio signals, such as GSM also over a circuit-switched network (or packet-switched for GPRS, taken from 2.5G).

3G

Third generation mobile phone technology using wide area cell phone networks, using UMTS instead of GSM, following the IMT-2000 standard.

4G

Fourth generation mobile phone technology. Several standards currently in development are competing with each other for the 4G crown.

I’ve been happily using 4GB USB 2.0 flash drives for a while now, transferring data between machines at various locations, and using them as temporary backup devices. For some reason I’d come to the conclusion that 4GB was going to be it for these small memory sticks, and that if you needed more than 4GB you would have to invest in an external hard drive.

How wrong was I? Integral have announced their 32GB flash drive. 32GBs! That’s more than my 4-year old laptop has as a hard drive. I could backup my whole laptop onto something the size of a key fob! There’s even talk about 64GB flash drives becoming available shortly.

Having the ability to carry so much data around with you may be convenient, but from a security point of view it also means that there’s even more of your data at risk of being stolen. Or these devices could be employed to do the actual stealing. The complete contents of a target computer’s hard drive could be copied onto a device that fits into the palm of your hand.

Several companies are already updating their security policies to state that flash drives are not allowed on the premises. It’s one thing to say they are not allowed, it’s another to police it. As the world goes USB mad, it’s possible to purchase USB flash drives in a variety of form factors. So instead of having to look for the obvious ‘pen drive’ form factor, you have to wonder if that fuzzy bee keychain on that girls handbag is what it appears to be, or a USB flash device in disguise.

Somebody even figured out that the width of a USB connector is smaller than the diameter of an AA battery, so they built a battery that can recharge from a USB port. How long before someone builds a USB flash drive that looks like a battery? You could sneak it into places disguised as a battery in a portable radio.

It didn’t take long for tech companies to catch on to the growing market need for ways to secure data held on employee laptops. I’ve read various hardware and software solutions, the latest being the OmniAccess 3500 Nonstop Laptop Guardian from Alcatel-Lucent.

Most of the solutions I’ve read about so far rely on the laptop thief booting the laptop in the state that it was stolen. In other words, powering up the laptop and trying to log on to the internet. This assumes that the thief is not a data thief, as data thieves just remove the hard drives from laptops so that no custom hardware is activated that may destroy the data, or no security software is executed that could delete/corrupt the data. A data thief will slave the stolen hard drive to his own machine (or more likely, image the drive and work on the image).

The OmniAccess 3500 acts as an encryption/decryption key for the data and without it, the data cannot be decoded. It also allows remote control, GPS tracking, and remote data erasure calls.

In theory it sounds like a step in the right direction. However, separating the PCMIA card from the laptop prevents the card from destroying any data on the laptop hard drive (assuming there is one and that the PCMIA embedded OS is not running like U3 and using the laptop hardware as a dumb terminal). You may not be able to decrypt the data, but you still have a copy while you wait for someone to reverse engineer the encryption algorithm.

I’m often asked what security software I use on my Windows XP laptop so I‘ve compiled a quick list below. Everything I use is free.

Software Firewall

The first step in securing your laptop is to install a decent software firewall. If you are connecting to various networks, wired or wireless, it’s not a good idea to just hope that the network you are connecting to is secure, you need to protect your laptop and your data.

Windows XP SP2 comes with its own software Firewall, and although I have used it when nothing else is available, I do not use it on my own laptop. I prefer a software firewall that offers more control, blocks everything from the start, and learns what software I wish to allow access to the internet, either temporarily, or always.

I previously used ZoneAlarm, but over time it became bloatware and developed an annoying feature - if you were idle for some time, it would block all internet traffic. The only way to access the internet again was to disable ZoneAlarm or to reboot your computer.

After trying out several alternative software firewalls, I came across Comodo Firewall Pro and I‘ve stuck with it ever since.

Anti-Virus

After your software firewall is up and running, next you need a good anti-virus solution. I use AVG Free Edition from Grisoft. I have it updating daily (manually) so that I always have the latest definitions loaded.

Anti-malware

Next you need a good anti-malware solution. Something that will remove spyware, ad-aware, browser hijackers, web diallers, and other types of malicious software that is not necessarily detected by your anti-virus solution.

I use Spybot Search and Destroy as my anti-spyware tool of choice. I search for updates, immunise, and run a complete system scan once a week.

Web browser 

For surfing I use the Firefox browser with the NoScript plug-in. This allows you to control what scripts run on any web site you visit. For instance you can allow scripts that run a feature of a web site you want to access, but block scripts that server you adverts.

Sometimes even those of us in the computer security field can make stupid mistakes when carrying out a task that they have done a thousand times before, without really thinking. In this case I decided to fire off a quick email at a clients site to my personal email account just to remind me about something or other I had to do later that day. Normally I’d stick a reminder in my mobile phone calendar, but I was sat in front of an email client and it just seemed quicker.

Later that day when typing another email, the ever helpful email client suggested from its history file a selection of similar email addresses based on the characters I had typed so far into the to: field. That is when I noticed that I’d typed my personal email address incorrectly earlier that day as the client had remembered what I’d typed, and it was wrong. In this case the typo was in the domain name. This could be bad.

Now bearing in mind that I’m at a clients site, I’m not about to type the typo domain name into my browser to see if it actually exists, because it just might be a site that could get me into a whole lot of trouble. So I did a whois lookup and just my luck, the site exists. What was worse was that the registered contact name for the site owner was ‘SpamKing’ at the domain name in question.

So for the rest of the day I’m kicking myself for making such a stupid lazy mistake. I may have just handed my work and personal email addresses to a spammer.

Luckily not long after, my email server returned an error saying that it was unable to deliver the email after repeated attempts.

This stupid mistake started me thinking about email address typos. How easy it would be for spammers to register domain names for every possible typo of a popular web email domain name that they can think of, then set up an email server to collect all the email addresses they receive from those of us in such a rush that we don’t check what we just typed before hitting send.

So don’t just check your message content before sending, make sure you also check the spelling of the recipients addresses.