Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

Archive for the ‘Risks’ Category

Comparing the Security of Low-Power Wide-Area Network Technologies

Posted by Craig H on 2 May 2017

I was recently asked by the GSMA to undertake an independent study looking at the security of various LPWA (Low-Power Wide-Area) network technologies. I took on the project because I find it a very interesting topic; these types of network are targeted at IoT (Internet-of-Things) devices, an area I have been working on over the last couple of years with IoTUK and the IoT Security Foundation. One of the main challenges of the IoT space is in making trade-offs to accommodate low-power and low-cost devices, and security is one of the things that might be traded off.

You can download the 20-page report here.
Read the rest of this entry »

Posted in Cryptography, Internet of Things, Network Protocols, Risks | 1 Comment »

Raspberry Pi Fishcam

Posted by Craig H on 16 July 2013

I had security concerns over installing a wireless webcam to keep an eye on our goldfish. Such things are available cheaply off the shelf, typically manufactured in China, but I’m not willing to put a device of questionable provenance on our Intranet, especially not with a direct channel out to a server in China.

I started thinking about using a Raspberry Pi and Skype as an alternative solution. As (most of) the software would be open source, that way I would only have to trust Microsoft and the NSA not to interfere with the Skype server ;-).

My Raspberry Pi camera module didn’t arrive until this week (the first production run sold out almost immediately back in May) and, unfortunately for the plan, Microsoft have turned off the ability to register a Skype developer account in the meantime :-(. Read the rest of this entry »

Posted in Open Source, Risks | Tagged: , | 4 Comments »

Thoughts on Trusting Password Managers

Posted by Craig H on 14 December 2010

There has been a lot of buzz about the Gawker Media user account data breach, which came to light last weekend. One aspect of that is a privacy issue (anonymous comments are now no longer anonymous) but the main concern seems to be passwords from Gawker Media sites being used to gain access to accounts on other systems.

First a clarification: it’s not obvious that Gawker Media did anything fundamentally wrong here. The passwords were one-way encrypted, and database breaches can happen to even the most diligent system administrators (software inevitably has flaws, and there are lots of bad guys, some of whom will be able to develop or find out about Zero Day exploits). It doesn’t really matter how good the password encryption was either; once the encrypted passwords are available, off-the-shelf hardware can run through a staggering number of possible passwords to “brute-force” the encryption in seconds.

There are really only two defences, Read the rest of this entry »

Posted in Authentication, Risks | Leave a Comment »

Give the Bad Guys your PayPal Account?

Posted by Craig H on 20 May 2010

I was concerned to read this blog post from PayPal’s VP of Platform, announcing their Mobile Payments Library. The feasibility of in-application mobile payments is something I’ve looked at often over the years, and I’ve always come to the conclusion that it’s extremely difficult to do securely. I haven’t seen any evidence here that PayPal have solved that.

There are some interesting challenges at the API level that are probably only relevant to security geeks (how does the service know that the application that’s invoking it is properly authorised?) but I won’t go into that now, because it seems there is a more basic and glaring error:

Read the rest of this entry »

Posted in Malware, Payment, Risks | Leave a Comment »

Freeware Application Testing Idea

Posted by Craig H on 1 April 2010

We know that there is a lot of inconvenience associated with distributing free (as in beer) applications for the Symbian platform at the moment – either the developer has to pay to get it Symbian Signed or every user has to sign the application for their own phone using Open Signed Online.

I am suggesting that the Symbian Foundation should host a beta test site for free applications. Developers and volunteer testers would be able to sign up to the site with just an email address and an IMEI, and then they could upload any application they like, and download any application they like. On download, the application would automatically go through Open Signed Online and be signed for that user’s specified IMEI.

Read the rest of this entry »

Posted in Applications, Malware, Risks | 4 Comments »

Health Apps on Phones?

Posted by Craig H on 8 February 2010

This post is about trustworthiness (security in a broad sense) and specifically about reliability.

I see increasingly frequent suggestions that people should use their phones to monitor their health. This is, on the face of it, attractive; being an insulin-dependent diabetic, I carry a blood glucose meter with me pretty much everywhere, and in line with the general trend of convergence (calculator, camera, music player, radio, etc.) wouldn’t it be great if that was built in to my phone?

Well yes, that would be very convenient, but I’m afraid I think it’s a fundamentally bad idea.

Read the rest of this entry »

Posted in Applications, Risks | Leave a Comment »

Worry Less About Malware, More About Losing Your Phone

Posted by Craig H on 25 September 2009

There’s a very good article on the PC World Magazine site about the risks of mobile phone banking. The author, Eric Larkin, rightly suggests that the biggest risk is the physical one of losing your phone and someone finding information on it that could be used for identity fraud.

I don’t have good statistics on the number of mobile phones infected with malware yet, although I am in discussions with the GSM Association Security Group to see if we can publish some; still, I’m personally convinced it’s nowhere near “1 in 63”! Statistics on the theft of phones are easier to come by. In the UK, a 2009 report published by a government department states that 2% of mobile phone owners had their phones stolen in the 12 months covered by the survey – that’s 1 in 50. More people must surely have lost their phones by accidentally leaving them on trains, buses or in taxis, so physical loss of your phone does indeed seem to be the biggest risk.

The lesson? USE THE DEVICE LOCK ON YOUR PHONE! Yes, it’s a little bit of extra inconvenience, but it’s an important protection against identity fraud, which a lot of people are worrying about these days. There are step by step instructions for various devices here.

Posted in Risks | Leave a Comment »