Mobile and Secure.Com

For a while it seemed like everyone was cashing in on the USB craze, where every hardware and software application that you could dream up was available in USB format. All you would have to do is build a bare bones PC with lots and lots of USB ports and you could add everything you could possibly want.

From a security point of view it’s always useful to have a firewall, especially a hardware firewall. And now you can own your very own hardware firewall in the palm of your hand.

I discovered over the Christmas period that a few people I know who don’t have landlines (bad credit history, non-payment of bills, etc) have found a way of getting themselves on-line from the comfort of their own home wirelessly, using HSDPA.

They are using wireless modems supplied by Vodafone UK containing 3G SIM cards, and connected to their desktop or laptop PCs via a USB cable (supports 1.1 and 2.0). The thing is, the two units that I got to test out were not using any security software, just whatever came with the PC.

It is being predicted that in five years the rest of us will also be moving away from the traditional hardwired broadband model as well to a more ‘wireless broadband’ internet. This will suit Yahoo who are already developing applications to cater for this move.

Have you ever wondered why when you click on some web page links, you ended up at a different web page from the one you were expecting? Even when you hovered over the link to confirm the address in your browser’s status bar, before clicking? No it’s not a browser hijacker, you’ve just followed a blind link.

Blind links are written by the site’s webmaster as a way to increase revenue or click-through ratings. The web page code is using embedded JavaScript to show you one URL, while sending you somewhere different with each click (it is possible to get to the URL you want, but it may take quite a few tries).

This is a well used tactic of sites trying to make money from visitor traffic by directing visitors to sites they (probably) don’t want to visit (such as those serving adult content), but whose owners will pay the re-director a fee for the traffic.

Any sites I encounter using this technique are added to my hardware firewall’s block list.

I was reading some time ago about the Eye-Fi wireless SD card. It allows you to upload your digital photos straight from your digital camera to your favourite online photo hosting site. Well, according to the marketing speak anyway. In reality, from the reviews I’ve read, you have to set it up to talk to your home Wi-Fi access point (not ad-hoc) as it can’t use public hotspots. In other words, it allows you to upload photos from your camera to your PC in your own home without the use of cables.

The reviews and technical specs I was reading started me thinking about the security implications of this card. Eye-Fi supports WEP (oh dear) and WPA/2 PSK, which means having to configure the card with your wireless network encryption key.

Think about it, how many people leave their digital cameras unattended at parties and social events? All a hacker needs is the Eye-Fi SD card reader and a laptop and he can get your wireless network encryption key in under a minute. There would no longer be any need for a hacker to sit in a car outside your home trying to crack your network encryption. They could just follow you to a bar and wait for you to leave your Eye-Fi enabled digital camera unattended.

I had one of those governmental social researchers come around to ask questions about my opinions on crime in the area, how well I perceive it as being tackled, etc etc. I was also asked a series of questions on whether I use computers, if I purchase items online, and if I’m worried about fraud and unsure about the techniques I could use to reduce the risk. Hmm.. I told her what I do for a living.

At the end of her research questions, she put away her laptop and got out her notepad and pen. “Do you mind if I ask you a few questions about computer security?� Apparently she had just signed up to broadband and had a wireless router sent to her by her ISP. Only the other day, she had heard something about wireless networks not being so secure, could I tell her more?

I’ve been wondering about the difference between 2G and 3G mobile phone networks recently, so I started to do a little research. It got a little confusing at first, especially if you add 2.5G, 2.75G, and 4G to the mix.

Anyway, here are my notes. Feel free to comment on them and correct me. They are based on mobile phone networks in Europe.

1G

First generation mobile phone technology using analogue radio signals routed over a circuit switched network.

2G

Second generation mobile phone technology using digital radio signals, such as GSM also over a circuit-switched network (or packet-switched for GPRS, taken from 2.5G).

3G

Third generation mobile phone technology using wide area cell phone networks, using UMTS instead of GSM, following the IMT-2000 standard.

4G

Fourth generation mobile phone technology. Several standards currently in development are competing with each other for the 4G crown.

I’ve been happily using 4GB USB 2.0 flash drives for a while now, transferring data between machines at various locations, and using them as temporary backup devices. For some reason I’d come to the conclusion that 4GB was going to be it for these small memory sticks, and that if you needed more than 4GB you would have to invest in an external hard drive.

How wrong was I? Integral have announced their 32GB flash drive. 32GBs! That’s more than my 4-year old laptop has as a hard drive. I could backup my whole laptop onto something the size of a key fob! There’s even talk about 64GB flash drives becoming available shortly.

Having the ability to carry so much data around with you may be convenient, but from a security point of view it also means that there’s even more of your data at risk of being stolen. Or these devices could be employed to do the actual stealing. The complete contents of a target computer’s hard drive could be copied onto a device that fits into the palm of your hand.

Several companies are already updating their security policies to state that flash drives are not allowed on the premises. It’s one thing to say they are not allowed, it’s another to police it. As the world goes USB mad, it’s possible to purchase USB flash drives in a variety of form factors. So instead of having to look for the obvious ‘pen drive’ form factor, you have to wonder if that fuzzy bee keychain on that girls handbag is what it appears to be, or a USB flash device in disguise.

Somebody even figured out that the width of a USB connector is smaller than the diameter of an AA battery, so they built a battery that can recharge from a USB port. How long before someone builds a USB flash drive that looks like a battery? You could sneak it into places disguised as a battery in a portable radio.

It didn’t take long for tech companies to catch on to the growing market need for ways to secure data held on employee laptops. I’ve read various hardware and software solutions, the latest being the OmniAccess 3500 Nonstop Laptop Guardian from Alcatel-Lucent.

Most of the solutions I’ve read about so far rely on the laptop thief booting the laptop in the state that it was stolen. In other words, powering up the laptop and trying to log on to the internet. This assumes that the thief is not a data thief, as data thieves just remove the hard drives from laptops so that no custom hardware is activated that may destroy the data, or no security software is executed that could delete/corrupt the data. A data thief will slave the stolen hard drive to his own machine (or more likely, image the drive and work on the image).

The OmniAccess 3500 acts as an encryption/decryption key for the data and without it, the data cannot be decoded. It also allows remote control, GPS tracking, and remote data erasure calls.

In theory it sounds like a step in the right direction. However, separating the PCMIA card from the laptop prevents the card from destroying any data on the laptop hard drive (assuming there is one and that the PCMIA embedded OS is not running like U3 and using the laptop hardware as a dumb terminal). You may not be able to decrypt the data, but you still have a copy while you wait for someone to reverse engineer the encryption algorithm.

The movements of a group of pupils attending a UK secondary school are being tracked via RFID in a current trial. The RFID tags allow the school’s computer system to determine whether the pupils are in the right classroom, in areas that they should not be, or not on school grounds during school hours.

While the wearing of the tags during the trial is voluntary, campaigners are already raising a commotion about human rights. What they are failing to realise is that the average child is more clued up on technology than the average adult. It’s not rocket science to figure out that if this technology becomes adopted by the nations schools, that the kids will figure ways around it, or to use it for their own benefit. Instead of getting your mates to say you were in a particular class, you give them your tag or the item of clothing that it’s attached to, and they take it into class so that the computer system will say that you were there.

I’m often asked what security software I use on my Windows XP laptop so I‘ve compiled a quick list below. Everything I use is free.

Software Firewall

The first step in securing your laptop is to install a decent software firewall. If you are connecting to various networks, wired or wireless, it’s not a good idea to just hope that the network you are connecting to is secure, you need to protect your laptop and your data.

Windows XP SP2 comes with its own software Firewall, and although I have used it when nothing else is available, I do not use it on my own laptop. I prefer a software firewall that offers more control, blocks everything from the start, and learns what software I wish to allow access to the internet, either temporarily, or always.

I previously used ZoneAlarm, but over time it became bloatware and developed an annoying feature - if you were idle for some time, it would block all internet traffic. The only way to access the internet again was to disable ZoneAlarm or to reboot your computer.

After trying out several alternative software firewalls, I came across Comodo Firewall Pro and I‘ve stuck with it ever since.

Anti-Virus

After your software firewall is up and running, next you need a good anti-virus solution. I use AVG Free Edition from Grisoft. I have it updating daily (manually) so that I always have the latest definitions loaded.

Anti-malware

Next you need a good anti-malware solution. Something that will remove spyware, ad-aware, browser hijackers, web diallers, and other types of malicious software that is not necessarily detected by your anti-virus solution.

I use Spybot Search and Destroy as my anti-spyware tool of choice. I search for updates, immunise, and run a complete system scan once a week.

Web browser 

For surfing I use the Firefox browser with the NoScript plug-in. This allows you to control what scripts run on any web site you visit. For instance you can allow scripts that run a feature of a web site you want to access, but block scripts that server you adverts.