Remote Controlled Door Lock

Lock maker Schlage announced it’s new LiNK lock. Essentially you can control your lock via a website which communicates with your locks via wireless connection to a base station you keep in your home (included in the kit).

One could say this is an extension of a garage door opener, but in many aspects it’s not. First a garage door opener is generally not accessible via the internet (likely the easiest point of entry). There is also a secondary door between the garage and the home, which can be locked, and possibly a home alarm which needs to be dealt with. As for the car itself, it also needs to be started. It’s a multi-step process to do anything real.

I’d be curious to know if it uses 802.11a/b/g/n or some proprietary protocol over 2.4GHz spectrum (most likely). I doubt it’s using Bluetooth due to problems with distance.

I suspect these locks will be hacked by the next DEFCON. Between the website, the base station, the wireless signal, and the lock itself. There’s plenty of surface area for vulnerabilities. This is just too tempting.

Internet Software Web Development

Reliability On The Grid

There’s been a lot of discussion lately (in particular NYTimes, Data Center Knowledge) regarding both reliability of web applications which users are becoming more and more reliant on, as well as the security of such applications. It’s a pretty interesting topic considering there are so many things that ultimately have an impact on these two metrics. I call them metrics since that’s what they really are.

Google Security

Gmail’s Remote Signout And Logging

Google has recently upped their profile in regards to security and privacy. Last week Google made the subtle change of adding a privacy link to the homepage. This is common on most sites, but avoided by Google because they are very strict about cluttering their homepage. Privacy groups have wanted this for years, so this is a pretty large win.

Today Google announced it’s rolling out the ability to remotely sign out other computers from your Gmail account. You’ll also be able to view the IP address, interface (web, mobile, IMAP, POP3), and time that anyone has logged into your account. This is a groundbreaking change in regards to email security.

Now it’s possible for email users to review the logs and see if and when anyone else has accessed their personal email.

I suspect Yahoo, and Microsoft will be working to copy this feature, perhaps with their own enhancements (invalid password logging maybe?). I can also see Facebook and MySpace rolling out a similar feature in the near future. It’s an easy enough enhancement that provides a lot more comfort and security to the product.

Employers going through employees personal email has been hostile waters for a long time including a recent high profile case. This is certain to agitate that. I suspect there are a few companies who will be updating their policies in the next few weeks to try and protect themselves. There will even be a few who will sue Google claiming libel or that Google’s privacy policy should cover you when you log into someone else’s account provided you have one of your own. This is guaranteed to happen.

It’s a good move by Google. This feature greatly enhances the security of Gmail and puts it in a class well beyond what Yahoo or Hotmail currently provide. This is likely the biggest threat to email other than viruses which they all scan pretty well, and phishing, which they also do a decent job with.


AVG Wastes Bandwidth

AVG really needs to fix their “LinkScanner” product. It essentially scans pages for links and pre-downloads them to check for malware. If that doesn’t sound so bad, then your obviously not paying for bandwidth or trying to keep your server load manageable. Essentially it means more traffic pegging servers and downloading pages, but most of it being a total waste.

This isn’t just bad for webmasters. This excess traffic hogs ISP’s (who now plan to charge by-the-byte) and WiFi. In a country where we are tight on bandwidth, this is really a pretty lousy implementation.

AVG even went so far as to use multiple user agents, all of which seem to spoof IE, making it more difficult to block.

The best way to block the bogus AVG traffic seem to be by looking for the Accept-Encoding HTTP header, which could be done using an Apache rewrite rule if you can’t do so on the firewall or load balancer level.

AVG really needs to reaccess this poorly designed product. It’s unnecessarily taxing the web.

Mozilla Open Source Security

Zero Day Vulnerability

This really isn’t very accurate. I don’t know the details of the vulnerability or even if there actually is one, but I question the marketing around the Zero Day Initiatives vulnerability report. The big news seems to be “only 5 hours” after the release.

This isn’t really accurate if you think about it. It would be if Firefox 3 were a tightly controlled product that nobody could see a final version of. Reality is that the entire source code lives in cvs, there are nightly builds, and formal release candidates posted. Could someone have downloaded it after release and found a security issue? Absolutely. Is the timing a little suspicious considering everything was done out in the open? Yes.

It wouldn’t have made any waves if a vulnerability was found in a release candidate. It would have just been patched and a new candidate posted.

The advantage to the open source development process is the transparency through the entire process. The code in the release build isn’t remotely new or surprising. Many people had been running it for days prior to the actual release.

Again, it’s possible it all happened in 5 hours. But I doubt someone discovered a security hole, documented it, then it was verified and confirmed in just 5 hours. Especially considering the open nature of the development process and how easy it is to check things out in advance.

Apple Mozilla

Apple Software Update Results

I presume everyone remembers the whole debate about Apple misusing Software Update to push Safari to iTunes users. For those who don’t, I’d suggest reading John Lilly’s blog post on the topic. Several prominent Mozilla bloggers spoke out about that practice.

It did help their market share according to Net Apps, though we’re talking 0.07 for Safari 3.0 vs. 0.21% for Safari 3.1. Not major, but still noteworthy that it did get installs.

To put this into a little more perspective, Apple has over 35 million iTunes installations (thanks mostly to the iPod). How many of which use software updater, I can’t find any way to accurately guess.

As of the latest release, Apple now separated software updates from installs in their updater, but still keeps it checked by default. It makes me wonder how many people realize it, and how many just find the strange icon on their computer. This could backfire in the long run and become thought of as crapware when it’s not in fact a “free trial” but legitimate fully usable complete software.

I suspect this will be a topic of discussion for several months to come in the software world.

Mozilla Security

Skipping Extension Installation Delay

Firefox has a delay when you install extensions as a security mechanism. This is done because it would otherwise be pretty easy for a website to trick someone into installing an extension before they even realize what they are doing (which is obviously a bad thing). See Bug 162020 for details and even an example.

I’ve seen a few sites publicize how to disable this security feature, though I’d point out this is really not a good idea. It’s 5 seconds people. Even if you have 20 extensions installed, your talking about 100 seconds, less than 2 minutes of your life. Seems like a reasonable compromise for the extra security.


How To Hack A RFID Card

Boing Boing TV has a great video on how to hack a RFID credit card for a mere $8. I’ve said it more than once that I don’t trust it yet. This is why. You just removed the best security feature on the card (the ability to keep it and it’s information out of view).

As a commenter noted, the Nokia 6131 NFC includes the following from their tech specs:

  • Explore mobile weather and news by touching your phone to radio frequency identification (RFID) tags

That’s right, a built in RFID reader. Just needs software for this particular task. I’m sure that won’t take too long.

In The News Security

Pacemaker Firewall

If you have a pacemaker or a defibrillator you may want to consider getting a firewall at some point in the future. They could potentially be “hacked“:

But hackers could transmit the same radio signals — causing a defibrillator to shock or shut down, or divulge a patient’s medical information — without needing a programmer, researchers found in a laboratory test of one model from Medtronic.

I’m surprised there’s no authentication at all on these things. Considering it’s implanted, it should at least require it’s own serial number to be sent back to it to suggest the sender is authorized (presumably because they have the serial number of the implanted device). By not responding to commands for 10 minutes after 3 wrong guesses, it would take a long time to hack. That’s pretty basic, and not foolproof (what about a mistyped serial number during an emergency?), but a start.

Security Tech (General)

How To Steal A Credit Card

I said a while back RFID credit cards still have to prove themselves. Today I saw this interesting story on CNet:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer’s wallet, Laurie both read and displayed its contents on the presentation screen–the person’s name, account number, and expiration clearly visible.

You can find a ton of information including code and the hardware necessary to duplicate this his website RFIDIOt.

Another real potential issue is companies using RFID for security badges. Considering how easy it is to read and duplicate, potentially anyone who can get close to someone walking into an office can capture the data necessary to produce their own ID card. In this case only matching the photo stored by the company on their computer system (not the one on the badge) to the person’s face is security. So for those offices who don’t have security staff doing this, anyone could theoretically get in.

The best security mechanisms are the most simple and discrete. Credit cards are naturally pretty secure if used correctly. Nobody can abuse a credit card unless they know the number. Nobody can read it through a wallet. The wallet in this case is a great security feature. To read it you need to either visually inspect it for the numbers, copy it, get an impression of it, or swipe it through a reader. All things that require intimate contact with the actual card. Impressive security for some old technology isn’t it?

I’ll stick with swiping a credit card for the foreseeable future. Your only not liable for a stolen credit card if you and your credit card company mutually agree it’s stolen or being misused. Otherwise you may be on your way to an expensive dispute. Regardless it may have hit your credit, and you’ll spend a lot of time sorting it out and getting it corrected. Bad credit costs you money. Some individuals make it sound like it’s just a phone call and your done, but people who have had their credit card stolen sometimes spend several months fighting to save their credit.