Tag Archives: security

Safety and Security

2015-03-17 15_29_43It’s fascinating how being in a foreign environment makes you more alert to the kind of stuff you normally wouldn’t give a second thought to.

The past couple of weeks I’ve been, spending a bit of time abroad to celebrate my cousin’s Asian wedding. Being my very first Asian wedding, it’s a fascinating topic and will require another post or two, but the long and the short of it is that I was in Malaysia, and over there, things work a little differently than they do back home.

But you don’t even have to be in a foreign environment in a developing country to be a little more aware of your surroundings. I was hanging around Melbourne airport waiting for my international connection to Kuala Lumpur, and one of my uncles wanted to meet up so he could pass something along to his wife and daughter who had already left. My dad, sister, and myself were waiting just outside one of the domestic terminals, just by the huge Melbourne signage near the designated pick-up and drop-off area. Those that have been to Melbourne airport will know where I’m talking about, and those that don’t should know that it’s really nothing special, in the context of all the big things Australia seems to be obsessed with.

I had just gotten off a flight from Hobart and was checking out what I missed on Twitter when a guy approached me and asked if he could borrow my phone. He had a Beats headphone case strapped to his waist and had two pieces of luggage in tow; it didn’t take much to tell he was a recent arrival, and judging by where he was standing, he was probably waiting around for a lift from a friend.

He gestured towards my phone, asking to borrow it because his own has no signal. He showed me his iPhone 6, and sure enough, “SOS only” was showing in the top left hand corner. He says he needs to call his friend to let him know he’s arrived, and wants to borrow my phone to do so.

I don’t consider myself particularly paranoid. Carefully cautious, maybe, but not overly so. But I hesitated. Call it whatever you want. I had heard the horror stories: people handing over phones only to have the guy run away with their phone, people handing over phones and then have the other guy drop it and absolve all responsibility, that kind of thing. I didn’t really need that kind of hassle before an overseas trip, so I took a split-second to think about it.

In that split-second, I weighed up my options. If he ran away with my thousand-dollar phone, could I catch him and get my phone back? A quick glance said probably, yeah: even if he did run away, he’d be leaving behind his luggage. Plus his backpack would slow him down.

Reasonably confident I could run this guy down if he made off with my phone, I said OK. He asked me if I understood Chinese (no idea where he got that impression from) and I shook my head.

Even after all that, I still wasn’t quite willing to just let a stranger have free reign of my phone. I asked what number he wanted to dial, he showed me on his phone (in WhatsApp, I think), and I dialled the number and made the call. Only then did I hand the phone over, staying close to the guy as he talked to his friend, telling him where to pick him up.

Continue Reading →

Windows Security Just FAILS.

The malware records the magnetic stripe information on the back of a card as well as the PIN (Personal Identification Number), which would potentially allow criminals to clone the card in order to withdraw cash.

The collected card data, which is encrypted using the DES (Data Encryption Standard) algorithm, can be printed out by the ATM’s receipt printer, Trustwave wrote.

The malware is controlled via a GUI that is displayed when a so-called “trigger card” is inserted into the machine by a criminal. The trigger card causes a small window to appear that gives its controller 10 seconds to pick one of 10 command options using the ATM’s keypad.

[…]

A criminal can then view the number of transactions, print card data, reboot the machine and even uninstall the malware. Another menu option appears to allow the ejection of an ATM’s cash cassette.

via Cybercriminals refine data-sniffing software for ATM fraud – Network World.

Whoa. This is BAD.

Seriously, though – DES? Cmon, any first year computing student learns that DES has already been outdated by it’s bigger and badder brother, the Advanced Encryption Standard.

See? I do learn things in Introduction to Systems! 🙂

However, the REAL WTF here is why ATMs all over the world are running WINDOWS in the first place. I’m no Apple fanboy (har, har), but even I recognise that Windows isn’t the most hacker-proof OS out there.

Facebook and PayPal join OpenID…so?

The Facebook Connect experience is simply better than that offered by OpenID, and from a competitive standpoint, Facebook has an opportunity to be the standard identity provider for other websites.

via Facebook Joins OpenID Foundation; So What?.

Just when I thought it was pretty much dead – both Facebook and PayPal have now joined the OpenID foundation.

If you’ve never heard of OpenID before this, you gotta be living under a rock. OpenID allows you to “sign in” to websites using just your OpenID login – so you don’t have to do the whole “registering” process which each and every website you come across.

In practice, it only works if sites have OpenID access enabled – and it would work far better if it were made as a standard, such as HTML and CSS. That way, every web site that allowed you to login would also allow you to login with your OpenID.

Sure, we’ve enabled both Facebook Connect and OpenID login over at freshbytes, but I don’t really see the point of Facebook joining especially since it has it’s own Facebook connect implementation of secure login.

And PayPal? Well, it really does go to show that PayPal still has some clout. Needless to say, it’s imperative that the OpenID security right on this one – and from past experience, OpenID is a little clumsy to use, compared to something like Facebook Connect…

Comments below.