OWC are more usually known for their line of Mac-compatible SSDs but unsurprisingly, they do have other products. Andy finds out more from Grant.

The unsightly profusion of mobile phone, tablet and other gadget chargers is a bane of modern life. OWC have a tidy and green solution in the shape of a standard power socket fitted with smart USB charging points which don’t draw power when not in use. It’s approved by UL, too, so it’s home safe. The Power2U is available now for $27.99. OWC – please do a UK version too.

Moving on, iPads are an easy target for thieves and corporate devices doubly so. OWC’s iPad GripStand Station securely stores, recharges and syncs up to 8 iPads at once, even when the iPads are fitted with a GripStand. The security bar and padlock make petty theft much more difficult. Available now from $379, which I gather is a somewhat of a bargain.

Interview by Andy McCaskey of SDR News and RV News Net.

   The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”- 4th Amendment, Bill of Rights, U.S. Constitution

What would you say if your state decided that your ISP had to keep records of all the Web sites you went too? That they had to keep records of both Internet protocol address and domain names of all sites that you visited and they had to keep them for a minimum of two years. That is what is being proposed in the Hawaiian State Legislation under H.B. 2288, which states that Internet destination history information and the subscriber’s information, such as name and address must be saved for no less than two years. I know what some of you are saying I don’t care if the government knows what Web sites I visit I have nothing to hide, or if you aren’t doing anything wrong what’s the problem.

Do you currently belong to any political or social organization like the Tea Party  and do you visit supporting Web sites a lot.  How would you feel if the government started investigating the Tea Party and started looking for information on its members. Now how do you feel about the legislation. Let’s take this to the real world, what if the government required the local retail stores to keep a record of every book you bought, every magazine article you read, the talk radio you listen too, the clubs you joined, the people you associated with, now how do you feel. If you are like me you are saying to yourself that’s none of the government business, well this legislation does exactly that only in the virtual world.

Rep. John Mizuno of Oahu is a lead sponsor of the bill and a similar bill is being introduced in the Hawaii Senate. The bills are being introduced at the behest of Representative Kimberly Marcos Pine, who is in the middle of a dispute with a web designer Eric Ryan, who launched KymPineLsACrook.com and who says she owes him money. Her email was also hacked last summer, at the same time an article was written in the Hawaii Reporter about the dispute.  Because of these incidents Rep Pine has advocated tougher cyber laws. Those who support the legislation say that this type of law is necessary to “to protect people of Hawaii from these attacks and give prosecutors the tools to ensure justice is served for victims.” Unfortunately for the supporters of this bill, that is not how the law works in the United States, you can’t gather information on a large group of people in hopes that you may capture a few bad apples.

If the constitutionality of the bill is not enough there is also the question of what the Internet Provider can do with the information while they hold it. The bill says nothing about how the data should be stored or if it needs to be encrypted. There is no prohibition against the Internet Companies selling the information to anyone including advertiser or insurance agencies. So if you don’t care about the government having the information, how about your insurance company. The police aren’t even required to get a court order to view the information of anyone who uses a computer in Hawaii. This legislation would not only apply to Hawaiian residents but it would also apply to the 6 million tourist who visit the state each year. Which mean coffee shops, hotels, bookstore or anyone else with a public wi-fi would have sweeping requirements and cost put upon them.

We all want the bad guy to be caught and stopped, but not if it means giving up our rights and freedoms. Although SOPA and PIPA were stopped last week in the U.S. Congress, the fight over our rights and freedoms on the Internet is on going, it has simply moved to state legislation, we all need to remain vigilant.

G Data’s Mobile Security provides anti-virus and security monitoring for Android smartphones and tablets. Is this really necessary, you might ask, but I think after some of the recent malware removals by Google, there’s sufficient evidence that Android will increasingly be a target for malware and virus writers. Such is life.

Mobile Security provides three main functions, on-demand scans, blacklist control and authorisation checks for installed apps, all controlled from a main home screen.

Tapping on any of the four areas will show the next screen for that function. Here’s the on-demand virus scanning – no surprises there – but Mobile Security also scans apps as they are installed from the Android Market (or elsewhere presumably) which gives additional protection against malicious software.

The Permissions area shows a set of controlled features such as calls and internet access, and by selecting a particular feature Mobile Security shows the apps that have permissions for that feature. I thought that you might be able to then select an application and revoke its permissions to, say, access the internet, but the only option is to uninstall the app.

A settings screen is accessible from the menu key which provides greater control over the behaviour of Mobile Security’s activities. Usual stuff about scan intervals and automatic scans but all good stuff.

The Logs area shows what Mobile Security has been doing and Update simply checks that the virus signatures are current and up-to-date. Nothing unexpected here.

Unfortunately, I didn’t have any malware to hand so I wasn’t able to test out Mobile Security’s detection and disinfecting abilities but I would imagine that G Data’s got that covered.

It’s a free download from the Android Market to try it out, but it’s £9.99 per year to get updates for new malware and viruses. Alternatively, purchases of other G Data security products such as  G Data AntiVirus include a Mobile Security licence as part of the package.

The licence for this review was provided free of charge by G Data. Thanks.

Among the thousand of items at CES 2012 that have the bling and the pop, often the ones that have a quieter presence may end up being just as important. In this category is a product called DiskCrypt by Singapore based ST Electronics. What is DiskCrypt?The DiskCrypt is a hardware based encryption solution. It turns any 1.8” micro-SATA device into a removable and fully encrypt storage. The enclosure is the size of a 2.5” drive that fits into most of today’s notebooks.

If you have a brand new machine (with no OS installed) you would install DiskCrypt like you would a normal hard drive and then boot-up from it. Once authentication is done, DiskCrypt will than show up as a normal drive. You can then install your OS, Windows or Linux as you would normally. DiskCrypt does not work on a Mac. If you have an existing drive, you have to remove the current drive first. It goes without saying that before you do this you want to backup all your data. Then install DiskCrypt and go through the authentication process. Then using a cloning tool such as Aronis and a USB to SATA Bridge you reinstall the OS and Data. Unlike most software solutions DiskCrypt encrypts every sector, including temp files, and the boot sector without a lost in performance. It uses Nist approved AES encryption algorithm. The cryptographic module in use is FIPS 140-2 level 1 certified. DiskCrypt offers key strength of 128 and 225 bits. With the addition of the optional DigSafe KeyCrypt cryptographic token two factor authentication is available. There is a Master password which is provided to the administrator, who can use that to recover a lost user password. If the Master password is lost, your out of luck, there is no way to recover that. This also means that a good master password that is kept in a secure location is the key. If a password has to be changed that can be done at the time of authentication without any lost of data.

The DiskCrypt enclosure is $450.00. At that price this is clearly not a product that is being sold to consumers. If you are a business small or large and your data is being carried into the field on notebooks that are easily lost then $450 may seem like a bargain compared to the cost of letting that data fall into the wrong hands.

Canadian firm SurfEasy will debut their eponymous USB key-based private Internet browser at CES, Las Vegas, next week. The portable USB key launches its own web browser which uses strong encryption to keep your surfing habits secret and holds all your personal information such as bookmarks, history and web passwords on the password-protected key itself. Nothing is left behind on the computer itself.

“When you stop and think about it, we use many different networks and computers to access our online lives. Whether it’s connecting from the office or using a Wi-Fi hotspot, we’re providing a lot of personal information to computers, networks and websites that are not designed with our personal privacy in mind,” said Chris Houston, founder and CEO of SurfEasy Inc. “SurfEasy lets people take control of protecting their online privacy and security by simply plugging in a USB key.”

One of the biggest potential benefits is when using unsecured WiFi in places like coffee shops. As SurfEasy creates an encrypted tunnel from the SurfEasy USB key across the Internet, no-one can see any detail about your browsing. All they can see is the encrypted data and the volume of data. SurfEasy encrypts the web traffic using SSL and passes the traffic through its own servers, stripping the client IP from the data stream.  The proxy network is hosted in Canada and the US, with other international locations to come soon.

As the data stream passes through SurfEasy’s servers, SurfEasy publish a Customer Bill of Rights which is upfront about what you can expect from the company in terms of keeping your activities secret. Basically, unless you come to the attention of the legal authorities, no usage data is held.

The SurfEasy browser is powered by Mozilla and is compatible with Microsoft Windows XP, Vista and 7. Apple users needs to be on Mac OS X 10.5 or later. The SurfEasy USB key costs $60 and this includes 2 GB per month of encrypted traffic through the SurfEasy network. Additional data costs $5 per month for 25 GB and $10 for 75 GB. Product delivery is expected in February.

I can see this being very handy for backpackers and other travellers who have to use Internet cafes while travelling and are rightly concerned about security. Plug-in the SurfEasy USB key to a public computer and you’re instantly secure wherever you are.

Symantec's report on a recent wave of cyberattacks includes the geographic breakdown of computers used in the attacks.

What do these four articles have in common.

• European Commission suffers ‘serous’ cyberattack
• Cyber-espionage attempts on U.S business are on the rise
• Symantec exposes wave of cyber-espionage attacks
• Hackers Wreck Havoc on Palestinian Internet Services

They are all signs that cyber espionage is growing as a threat in today’s increasingly interconnected world. Not only for the U.S but for other countries and groups around the world. Many believe that most attacks are coming out of China and Russia. Countries like the U.S., Israel also use cyber espionage when it is to their advantage. The use of infected machines by hackers often makes it difficult to know where the attacks actually originate from.  Attacks maybe either done by nation-states, private groups or individuals and telling the difference is very difficult. Some hackers may try to attack defense targets, but most target businesses and involve attempts to steal intellectual property, including design documents, formulas and various manufacturing processes. How many attacks occur yearly is unknown, since many companies do not report such attacks publicly.

The critical importance of the fight against cyber espionage was underscored by retired four star Marine Corps general James Cartwright, in an interview with Reuters. He believes that we should be more public when it comes what general deterrents we have and are willing to use. He said “You can’t have something that’s a secret be a deterrent. Because if you don’t know it’s there, it doesn’t scare you. Many experts believe that a deterrents policy needs to be created to indicate the threat of possible action without being too specific. For now U.S officials are silent on the type of deterrents that the US has, however it is assumed that it has both defensive and offense ones it can use.

The Obama administration is currently crafting rules of engagement in cyber space after releasing its general policy earlier this year. Many see cyber space as the fifth pillar of defense, which had been land, sea, air and space. The one thing that is clear cyber espionage is only going to increase in sophistication and intensity as cloud computing becomes more popular.

Studies have shown again and again that the weakest link in securing a customer’s information for a business is the customer service representative who deals directly with the customers. I worked as customer service representative for almost 20 years and trying pleasing the customer, while maintaining security is never easy. The customer is always right is a mantra that is drummed into you from the beginning of your employment. So when a customer calls in and has a reasonable story and it is late on a Friday afternoon, it’s much easier to provide the information they ask for than to deny it. There is nothing but your personal integrity and maybe the fear of being fired holding you back. It is definitely not loyalty to the company, when you know that the company is more than willing to replace you at anytime for any reason and the pay isn’t that good. Also you are always under pressure to complete a certain number of calls during your work day.

Social Hackers know this and use it to their advantage to get the information they are looking for. This is called the Schmooze button by many in the security business. The same person who gets you to buy a TV when you go to a store just to buy some batteries, that’s the same guy who would makes a real good hacker. He knows exactly what to say and how to say it to get you to buy the product or provide the information he is looking for. Many companies spend a lot of money on security, building up firewalls and installing advance systems. Hackers know this, they also know that they can often get around the best security system, using social engineering. The answer than is not to spend more money on advance security systems, the best answer is to continually train the customer service representatives in security and it’s importance. Many companies are now increasing the number of question, they ask a customer who request information. However there is a thin line between maintaining security and irritating the customer, companies have to tread that line. So when you call your bank or credit company because you’ve lost your credit card and they start asking you a lot of questions don’t get mad at them instead thank them for protecting your information from hackers.

The murder trial of Jo Yeates is front page news throughout the UK – a neighbour Vincent Tabak is accused of killing her. At the moment, the prosecution is presenting its case and a couple of interesting things have emerged as evidence.

In particular, the prosecution has alleged that the defendant:

• looked at Wikipedia for the definitions of murder and manslaughter.
• searched for the maximum penalty for manslaughter, i.e. how many years in jail.
• looked up definitions for sexual assault and sexual conduct.
• searched maps showing the area where the body was later found.
• searched on CCTV cameras in street where both the defendent and victim lived.
• use Google StreetView to view the same area.
• researched criminal forensics, fingerprinting and DNA evidence.
• read news stories on the investigation into the disappearance  of the victim.

Of course, it will be up to the jury to decide whether these are good indicators of guilt, but regardless it’s clear that if someone is accused of a crime then there’s a pretty thorough examination of one’s computers and on-line behaviour. Obviously this case is about a very serious crime but it’s almost a gift to the prosecution when put together like this: can you think of any good reason to access this material at the time of the disappearance? However, this is circumstantial evidence and needs to be weighed as such.

On a related note, Google has announced that if you are signed-in to Google when you search, you will automatically use https://www.google.com/, the secure version of Google Search. While this will prevent casual snooping on your search, Google will be keeping hold of your search information so that it can better serve you adverts. And how long does Google keep the search information? Indefinitely or until you remove it. So while on the face of it encrypted search is a good thing, it comes at the price of Google knowing yet more about you.

I suspect that in the current murder trial, all the computer forensics team had to do was look back through the defendant’s browser history. Easy if there’s only one computer, but more difficult if the person has a home computer, work laptop, smartphone and so on. If you’re tied into Google everywhere, all they’ll have to do is subpoena information from Google and get your search data in one tidy little bundle. Nice.

Wired is reporting that a virus has infected the flight systems controlling the Predator and Reaper drone aircraft in the Middle East. The systems have been infected for about two weeks and it appears to be a keylogger-type of virus. Further, the virus has resisted attempts to disinfect the system but the military think it’s benign.

You can read the full article yourself, but as an IT professional I read it with utter horror and dismay. Here we have a (potentially) armed aircraft apparently still operating with an unknown virus in its systems. Does this ring alarm bells for anyone else?

I work in a public sector organisation and our approach to a PC with a virus infection is to pull the plug on the infected equipment and disconnect it from the network until we are able to clean the PC, regardless of whether we think its benign or otherwise. We’re concerned that data might be wiped out. You’d think that the military might have concerns about people being wiped out by a malfunctioning drone but apparently not.

And then there’s the question of how the system came to be infected. Again there seems to be a remarkable lack of knowledge. No doubt we’ll find that the USB ports were unlocked, there was no antivirus software and anybody could plug in a memory stick at will.

Looks like there’s a market opportunity for an AV company…

In the last six months we have cheered the use of Twitter and Facebook during the Egyptian revolution. How they were both used to get and spread information about what was happening and where, allowing the opposition to organize. When the Egyptian government tried to shut them down, the western press and government accused it of denying the Egyptians their rights. At the time few questioned how the west would react under similar circumstances. Lately the answer to this question is started to become clearer and the picture in the mirror is a bit ugly.

Unfortunately last week London and several other cities were rocked by violence. Riots broke out in several parts of the city, according to multiple stories Blackberries phones along with Twitter and Facebook were used to coordinate the rioters. Blackberries were used because messages are encrypted and even RIM doesn’t have the key. Blackberries are also cheap compared to iPhones or Android phones. Prime Minister David Cameron, suggested that social media including Twitter and Facebook maybe limited during riots. Leaving aside technical issues of trying to do this, which there are many, is this the right thing to do and does it cause more problems than it solves. Now you could argue as Prime Minister Cameron did that the rioters were a bunch of thugs and hoodlums and you don’t have the right to use technology to commit criminal acts. However isn’t this what governments like China and Syria label opposition and democracy protestors. If this policy is implemented in Britain, then what credibility does it have to protest a similar action in China, couldn’t the Chinese say we’re just following your lead. Not to mention the fact that if you limit social media (what ever that means) during unrest you are not only punishing the guilty but also the innocent. In fact those who are less tech savvy are more likely to be hurt. Tech savvy users can usually can find their way around government’s attempt to block services using various methods including Tor or VPN services.

Clearly blocking social media in a whole city or even a neighborhood is difficult both technically and socially. However what if you just want to block a single building, like a train station or a subway, well Bart, the San Francisco rapid transit system found a way, they simply shut down the cellular services in the subways. They did this when they heard rumors there would be a protest against the shooting of an unarmed passenger by a Bart policeman They simply shut down the system base station, disabling the wireless network. They did this without informing the various wireless carriers in the area or making any public announcements. So for about three hours there was no cellular service. Commuters couldn’t make calls to home, or work or even 911. Nor could you surf the web or doing any work that was online. The FCC is now investigating the shut down as a possible violation of the Communication Act of 1934, which bans radio or cellphone jamming.

Clearly social media has become a thorn in the side of both democratic and undemocratic governments. The issues are not only technical but also political. The ongoing battle between activist and various governments will continue well into the future as they continually leap-frog each other.

As the fall-out from the News of the World scandal continues, many sources continue to inaccurately refer to “mobile phone hacking”. The truth (as far as is known) was that it was the voicemail of the mobile phone that was hacked rather than the phone itself. There are two ways to do this – the first is to simply guess the PIN of the voicemail and the second is to use Caller ID spoofing.

In the mid-2000s, most mobile phone voicemail systems were poorly protected as they typically came with a default PIN which was often easily guessed and only varied  according to the mobile phone company. Most users didn’t bother to change the PIN. Say the phone was on Orange, then the default PIN was 1234. If it was Vodafone, then 0000.  Typically, the villain then makes two simultaneous calls to the victim. One will be picked up, the other will go to voicemail.   By then pressing “*” or “#” while listening to the voicemail prompts, the individual can gain access to the voicemail system using the default PIN. Computeractive has article covering this scenario and how, in theory, it would be harder (but not impossible) to take this approach today.

As for Caller ID spoofing, this technique makes a call look like it’s coming from a different number than it actually is. It can be used legally to make someone calling from a mobile to actually appear to be coming from a company office, so that the person’s mobile number is not divulged. However, in some instances it has been used to gain access to voicemail boxes as many voicemail systems do not ask for further identification if the system recognises the inbound Caller ID as one of its own. PC Mag and c|net have short articles on how this is done and worryingly, this is still a threat. The Wall Street Journal covered the problem in 2010 before the current scandal broke.

It would appear that the best protection to both these attacks is (a) to change your PIN on your voicemail and (b) require your PIN even when calling from your own mobile phone. That way, even if your Caller ID is spoofed, the caller can’t get in without knowing your PIN.

In one of my more paranoid moments  last month I started using Google’s 2 step verification. Now anytime I want to connect an application or Web site with my Google account I not only have to enter my user name and password, but also a code that is sent to my iPhone. For those applications that don’t take the codes, Google generates application specific passwords. Having listen to Security Now for over 306 episodes I have no doubt this method is more secure then just a user name and password. Well, it would be if I was willing to stick with it, but to be honest I probably will not. It would be all right if I was using it on sites that I thought needed extra security on like shopping, bank and other similar sites. However do I really need two step verification for a site like Goodreads, at that point it just becomes annoying. I have a choice to make I can be secure but constantly annoyed or less secure but happier. I sure you can guess which road I am headed down. I do not think I am unique either I think I am pretty normal. Lets face it most of us want to be secure on-line, we just do not want to work to hard at it.

The problem with most security methods is the better they are the more difficult they are to use.  I do not care how great your security system is, if it is not easy for people to use it is useless. It needs to be as effortless as possible. The more effort it takes to use it the less likely users are to stick with it. Unfortunately the more human friendly security is the more likely it is to be insecure. Security and ease of use tend to work against each other. Somehow we need to find the middle ground between security and ease of use, and as more of our information resides in the clouds this becomes more and more important.

G Data have kindly supplied a copy of their AntiVirus 2012 to give away to Geek News Central’s loyal UK members. I reviewed the next product up in the range, InternetSecurity 2012, a couple of weeks ago and was quietly impressed. AntiVirus 2012 comes with antivirus (obviously) plus phishing, spyware and rootkit protection for a year on the PC and on Android smartphones or tablets.

To be in with a chance of winning, simply leave a comment below saying how you think GNC could be more relevant to a British audience. Don’t forget to leave your email address and I’ll draw at random from the comments in a week’s time. Remember, this is only for people with a UK postal address.

G Data’s 2012 range of security products cover basic antivirus through to specialised protection for laptops and notebooks. Depending on the version purchased, the features build-up from antivirus and safe surfing, through firewalls and spam protection, to backup and data recovery, with additional features in the notebook versions.

On test here is InternetSecurity 2012 which sits between AntiVirus and TotalCare and the main features are antivirus, firewall, safe surfing and spam protection. Parental controls and file shredder are included too. The graphic here shows the main differences between each version.

The software can be purchased and downloaded directly from G Data but in this instance, it was the boxed retail product. Not unexpectedly, the main contents of the box are a CD and a user manual, which generally explains the software quite clearly and simply. A bonus for people who aren’t familiar with security software and as the licence key is stuck on the back cover, it’s easier to keep safe.

A further benefit of the boxed copy is that the install disk also doubles as an emergency disk which can be booted from. This is great for those really nasty viruses which block AV software and being able to boot outside of Windows to get at them is great. If you downloaded the software rather than buying the boxed copy, there’s an option in the SecurityCenter application to create a boot disk but it’s an extra step you’ll probably forget to do.

Installation is straightforward and it’s by the numbers with clear prompts. During the install, G Data clearly explains its privacy policy when it requests permission to send data back for analysis: nothing is hidden away in the EULA. As usual, you have to register with G Data, but the software offers a quick registration of just name and email address. There’s still the option to enter fuller details if you want. As you’d expect, the installation finishes with a reboot.

On rebooting, the G Data icon is now sitting pretty in the system tray and initially InternetSecurity contacts its servers and starts downloading fresh AV signatures. This takes a few minutes but once done, you can go into the main SecurityCenter overview to see the status of the main features.

As you might imagine, each section in the SecurityCenter has further actions and settings. For example, in Virus Protection you can request scans for specific folders or drives. Or you can go into the Settings and change which of the two scanning engines are in use. Without going into every section and being thoroughly boring, all I can say is that the options are comprehensive and give the opportunity for tweaking to your particular circumstances. All of the G Data security products are available as trial downloads so you can check whether they fit your needs before buying.

Performance-wise, InternetSecurity did not seem to have a significant impact on the computer. One touch that I did like was that virus signature updates are scheduled for a particular time rather than automatically updating as soon as you log into Windows. On older computers, this allows you to get using your computer faster than you might with other competing AV products.

Not having a set of viruses handy, I wasn’t able to actually test the AV features of the product but when I did a scan of my local disk, it did pick up a trojan that I wasn’t aware of in some downloaded files. With two antivirus engines built into the product, you’d expect it to catch most of the nasty stuff as each engine takes a different approach to detecting viruses

Overall, G Data InternetSecurity is a comprehensive and competent product with lots of features and a couple of value-adds, such as parental controls. I’d be perfectly happy to entrust my on-line security to this tool.

Prices are £30 for AntiVirus, £35 for the version tested here InternetSecurity and £40 for TotalCare. There are also specialised versions for notebooks and if you have an Android phone, you get AV protection for free with any of these products. All the details are on G Data’s website.

Continuing the battle with the bad guys, G Data has released its MobileSecurity product for Android smartphones and tablets. MobileSecurity is designed to protect the data on phone from viruses, malware and spyware. Apps have to gain authorisation from the user before the app can make calls, send text messages or transfer data. Other features include app blacklisting and app checking during installation. Of course, there are regular updates to the software to keep the protection up-to-date.

Eddy Willems, Security Evangelist at G Data commented: “Malware writers are entrepreneurs: always looking for the best return on investment. According to analysts, Gartner and IDC, Android seems to be the market leader in mobile operating systems, so it is logical that cyber criminals will target the platform. Android malware can be easily spread through apps, which is another reason the platform is targeted. Not only did the beginning of 2011 see the emergence of this trend, but it also saw Android take the lead as the most targeted mobile operating systems in terms of malware. So it is the perfect time to introduce a solution for the protection of Android devices, as we expect a large increase in this area.”

Marketing puff aside, as we’ve seen in the past few weeks with the Mac malware and the Gmail spearphishing, there are criminals out there working out how to attack every major platform. And f they can’t beat the platform directly, they’ll go after the user, which is often the weakest link.

G Data’s MobileSecurity is available for £9.99 from a range of Android app stores or is free with G Data’s 2012 range of security products.

If  you have a Mac, you are mostly likely aware of the malware MacDefender. Which is a fake antivirus program created specifically to attack the Mac. For more details I recommend The Mac Security Blog.  Unfortunately as the Macs become more popular these kind of attacks will become more common, which will make installing antivirus and anti-malware software on a Mac as necessary as it is on Windows. If you are looking for antivirus software for the Mac now you may want to try the antivirus software from Avast! Software Avast Software is based in Prague, Czech Republic and has been stopping virus and malware on the Window’s platform since before Windows 95 was out. They are now making a free antivirus program available for Intel Mac 10.5 and above. It is in beta and available thru the Avast user forum for download.  Avast for the Mac was created specifically for the Mac and not something ported over from Windows. It has three separate shields; one for mail, web and file system. You can also scan your system or a part of it at anytime. The Web Shield is a new build and it actually filters all HTTP material before it reaches the browser. This is key since as Ondrej Vicek, CTO of Avast Software so rightly puts it “The discussion on Mac security has centered perhaps too long on individual operating systems,” added Mr. Vlcek. “There is already a lot of internet-distributed malware out there based on JavaScript which works across various operating system platforms and this beta protects against.”

I am a Mac user and am still not totally convince I need a product like this. However I decided it is better to be safe then sorry so I downloaded avast! Mac beta. The download and install went without any problems. You may lose connection to the Internet for a short time, during the installation. Once installed I had it scan my Home folder and it did it with no problem. When I did a full scan of my computer, I did notice that processes did slowed down. I was running several applications at the time so the slow down was not unexpected. Fortunately nothing was found. I have had it running for two days in the background and the only reason I know is the icon on the menu bar. Whether you need an antivirus software on your Mac is something only you can decide. If you do decide you need one Avast! for the Mac is not a bad choice.

If you or a friend have been conned into installing one of the fake anti-virus tools that has been doing the round recently, you’ll be delighted to hear that G Data are offering a free tool to remove the most prevalent type of scareware, “System Tool”.

Many of us will have seen those pop-ups claiming that our PCs have been infected and most of us will have dismissed them for the scams that they are. However, some people are taken in and G Data has seen an increase of 35% over the past 15 months in this type of fake AV. And if you are taken in, it’s a double whammy, with the criminals getting your credit card details while your PC remains under their control for further malicious activity.

“The development and deployment of scareware has become a highly profitable business. Fake antivirus programs have a double benefit for cyber criminals: they receive money from users who purchased a ‘full version’ of their useless tools and they get hold of the victims’ credit card data. To make matters worse: the fake AV programs often also put online criminals in a position that allows them to download additional malware onto their victims’ computers”, explains Eddy Willems, Security Evangelist at G Data.

The instructions for running the cleaner program is:
1. Download G Data FakeAV Cleaner from the G Data website: http://www.gdatasoftware.co.uk/support/downloads/tools.html. It’s down at the bottom of the page.
2. Run the G Data FakeAV Cleaner setup file. The G Data FakeAVCleaner “System Tool” has to be executed with the Windows user account that is infected. As the FakeAV “System Tool” shuts down all user initiated programs which do not have any kind of reserved name, like explorer.exe, winlogon.exe or svchost.exe and many more, the file name for the G Data FakeAVCleaner is svchost.exe
3. Reboot the computer to finalise the installation.

If you are interested in the background to this kind of threat, G Data have a complementary blog post discussing some of the issues and demonstrates a scareware infection.

The UK’s Information Commissioner’s Office today announced that it was fining Andrew Crossley of the now defunct ACS Law £1,000 for failing to keep secure sensitive personal information about 6,000 people.

The Information Commissioner, Christopher Graham, was particularly critical saying, “The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”

If ACS Law had still been trading, the fine could have been as high as £200,000. As Andrew Crossley was trading as a sole trader under the name ACS Law, it falls on him to pay as an individual.

Previously, ACS Law had been pursuing alleged copyright infringers on behalf copyright holders, including some from the adult entertainment industry. Its main tactic had been to send out letters to the alleged infringers, “encouraging” them to settle outside of court. Apparently over £1 million was raised through this tactic with 65% of the money going to ACS Law and only 35% going to the copyright holders (as reported by the BBC.)

Last year ACS Law’s IT systems were attacked by a distributed denial of service attack (DDoS) which brought down their website. When the site was restored, for a short time a backup file was easily available for download by anyone. This file contained Excel spreadsheets with information on around 13,000 alleged file sharers, including those accused of downloading pornography.

More from the press release…The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.

Overall, a pretty damning report. However, even if ACS Law is no longer trading, one can’t help feel that Andrew Crossley’s £1,000 fine is too small given that around £650,000 was raised by ACS Law by threatening alleged copyright infringers with legal action. I wonder what the average cost to settle was in comparison?

As Todd discussed on his last podcast, LastPass have been very open regarding a possible data breach in their systems. I think they did the right thing but their servers were simply crushed by the rush of people changing their master passwords. But I’m not writing to chastise LastPass. On the contrary, I’m here to admit to being guilty of being careless with my data.

It was probably at least a year ago, if not longer, that I decided to try out LastPass and a couple of other online password storage sites, some of which Todd also mentioned in the podcast. Most of them didn’t work out and while LastPass lasted the longest, even then it finally fell out of favour. Partly it didn’t work all the time but mostly, I just didn’t see the point. Either you want to be secure and type a username / password in every time or else be unsecure and let the browser remember between sessions.

I reverted back to storing passwords in my smartphone in SplashID and it works for me. If I can’t remember a username / password combo for a given site, it takes me a few seconds to look it up on my Pre 2 and I have my Pre 2 with me all the time. All was well until…

When I read that LastPass had an issue…
0 seconds…I don’t use that anymore…
15 seconds….I never deleted the account at LastPass!!!
30 seconds…I never deleted my accounts at any of the online password sites!!!
45 seconds…what were all the sites I tried???

Fortunately, it probably wasn’t as bad as I thought. To start with, most of the online systems I tried only stored a few passwords before I junked them. Secondly, I do change my passwords on a semi-regular basis and finally I was able to track down all the sites and delete my accounts.

However, it’s taught me a valuable lesson – don’t be careless with your information. The fewer places it exists, the less likely it will be to go astray. To back this up, once a year I’m going to sit down and go through all the entries in SplashID. For any websites that I don’t use anymore, I will log on one final time and delete the account or registration.

I suspect these data leaks will get worse before they get better so it’s time to get proactive about controlling your data. Don’t suffer ID theft through your own carelessness. How are you going to make sure that your data isn’t just lying around, waiting to be lost?

If you are into technology or not you couldn’t have missed the out cry over the story that the iPhone is capturing your location data and storing it on both the phone and the computer it is sync to. There have been many articles written on the subject, many which were written to clearly capture the reader attention, like Your iPhone is tracking Your Every Move or a the Huffington Post article The Scary Implications of the iPhone Tracking Everywhere You Go or Got an iPhone or 3G iPad? Apple is recording your moves. Although all of these are true, they are over simplified. The fact that the iPhone and 3G iPad was capturing and storing location information on both the gadget and the computer it is sync to has been known for awhile by the forensic community, Alex LeVinson of Katana Forensic published a paper on the subject for the Hawaii International Conference for System Science 44 in 2010 A book was published in December 2010, called  iOS Forensic Analysis for iPhone, iPad and iPod Touch which has a whole chapter on the issue. The information is not hidden, although the file has moved over the various versions. (Just because something is not announce doesn’t mean it is hidden.) Finally, there is no indication that Apple is pulling any location information into their own server, other then what is permitted under the User Agreement

According to most sources the information that is being collected is the triangulation of the location of the two nearest cell towers plus the direction the phone is headed. It can tell you where the person generally was; ie what city they are in, but not a [specific location][7]. There are indications that many Android phones collect the same information if the location service is turned on.

There are still are still several questions that need to be answer. First why is the information being collected and why is the file kept so long in the backup folder. The second problem is the information is unencrypted, which means anyone who has access to the phone including the police can get to the information. Which bring up the question of how information that is stored on a cell phone or a tablet falls under the Fourth Amendment. The final answer to this question is still to be determine. These are all important question. However in my opinion the sky is falling cry that came out of much of the blogging and social media community was over done and misleading.

Toshiba MKxx61GSYG

Toshiba created a new drive with an interesting security feature: If it gets placed in another system, the drive erases everything.

It’s called the Toshiba SED (Self Encrypting Drive). It’s a 2.5 inch, 7200 RPM drive in sizes up to 640 GB. The drive has a AES-256 encryption and Opal Security Subsystem Class (Opal SSC). But it has even another feature. One that can erase the drive.

It’s a setting you can choose. If the drive gets taken out of the selected device and put in another to read the data, the drive can be set to delete all it’s information. You can also choose to only “deny” access, but what fun would that be?

There is a hybrid mode, too. You can choose certain areas of the disk to be wiped. Therefore, not all data could be lost. I suppose you could have a folder on the drive that opens to a video of Dennis Nedry saying “unh-unh-uh, you didn’t say the magic word” (Jurassic Park reference)…

This drive is meant for higher-end systems and high security computers. Point-of-Sales machines would benefit from this drive if certain data gets stored. Client and service kiosks as well.

While the standard computer user doesn’t need this level of security, it would be great if you have documents that you don’t want people to see. Just remember: if you set it, then try to change the drive, you loose it all.

Of course, to use the drive, you will need to have a computer that supports it. You would also have software that would control the encryption. That way if you want to safely move it to another computer, you can change the settings to move it, move the drive and reset the protocol.

Great for higher security computers. Bad if you forget the function is there in the drive…

The theft of names and email addresses from Epsilon has reached across the Atlantic. Last week I received notification from two UK companies, one of which is a household and high street name, Marks and Spencer, the other is Crucial UK, who will be familiar to almost anyone who has bought computer memory. I’ve included the content from both of the organisations.

Marks and Spencer
We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation.
We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk.
We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result. We apologise for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Crucial UK
On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some Crucial customers were accessed by unauthorized entry into their computer system.
We have been assured by Epsilon that the only information that may have been obtained was your name and/or email address. No other personally identifiable information that you have supplied to Crucial was at risk because such data is not contained in Epsilon’s email system.
For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. We will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Crucial.
For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails and remain cautious when opening links or attachments from unknown third parties. Our service provider has reported this incident to the appropriate authorities.
We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

I think both of these responses are poor. For one, it’s fairly clear that they’re variations on a pre-prepared statement, probably from Epsilon.

Second, they seem to think that spam email is the worst thing that is likely to happen, without really emphasising that the spam email is likely to be targetted directly at the individual and purport to come from the company (spearphishing in the parlance). Most phishing email is pretty poor, but occasionally you get the odd one that is convincing. Knowing that someone uses a particular website is gold and makes it worth putting together a good phishing email and complementary website.

Finally, hacking an account at either of these sites has become much easier. Both M&S and Crucial use the email address as the login name – knowing that you have a valid login name is half the battle when trying to break in. Let’s face it, time and time again, surveys show that passwords are often easily guessed.

M&S and Crucial, here’s what I want you to do.

i) Delete all credit card information from any affected account or reassure us that you don’t hold that information.

ii) Create a secondary security feature on all affected accounts that uses information that wasn’t disclosed, e.g. post code from postal address. This will become part of the login process.

iii) Monitor logins for suspicious activity, particularly ones that fail the new security feature.

iv) Recommend that people ensure that they have strong passwords on their accounts and give guidance on what a strong password is.

v) Sack Epsilon as your email distribution provider.

What do you think? Has the response from the companies affected been satisfactory? Let me know.

I just started using Wuala a secure online storage available for Mac, Windows and Linux. Wuala is developed and run by LaCie a French provider of external storage. All your files are encrypted directly on your computer before its sent on line. Your password never leaves your computer, not even Wuala has it, so it is important that you keep it in a safe location. According to their site they use bank-level security. It uses AES, RSA and SHA to secure your data. It redundantly stores your data in various location. Their server are based in Switzerland, Germany and France. Because their security is based partly on Java it took awhile for Wuala to develop an application for the iPhone and iPod Touch, but it is finally here and available in the iTunes store.

Wuala will store any type of file including text, video, image and audio and if you have a pro account it will sync the file to your iPhone and iPad in almost real time. Once on the iPhone you can open up the file within the application and view it there. It is read only you can not edit a file within the application. If you want to edit the file there is an option to send it to the appropriate application for editing. You can share a secure link to a file by email. You can also create groups within Wuala and share files securely within that group. In many ways Wuala is similar to Dropbox or other online storage services, there are some differences. Unlike Dropbox Wuala has multiple level of services, which I like since I use this type of service mostly to move and view files on my iPhone or iPad I really don’t need 50 GB of services, but I need more then 1 or 2 GBs. Backblaze is my choice for long term backup. Unlike Dropbox however you can not add files to Wuala directly on your iPhone or iPod touch and services aren’t directly linked to Wuala. I do like how secure it is and I am happy I downloaded it. You do get a 30 day free trial if you want to try out the pro version, which gives you the ability to do auto backup, syncing, time travel, file versioning. I am hoping they will add the ability to at add files directly on the iPhone and iPod Touch.

In recent weeks it has become very evident that Anonymous is a group that anyone running publicly accessible servers should avoid pissing off. While Anonymous publicly embarrasses those companies and sites they go after, the Chinese on the other hand are much more sinister.

As reported this morning on Bloomberg the business of industrial espionage is alive and well. It has been revealed that a significant number of oil industry servers containing highly sensitive data at Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc have essentially been owned by the Chinese government for some time.

What possibly could the Chinese want from the servers from those companies, well potentially trillions of dollars in new oil well finds, that the Chinese can just put a rig over and pump out for their countries own consumption. The for mentioned companies are not being very forthcoming but hackers had access to their networks for over a year.

Multi-National companies like these need to get their collective heads out of their asses and get their networks secure. The same goes to US Government infrastructure, power, water, sewage etc etc etc.

Maybe I am just a paranoid retired Navy guy, but if you think the Chinese government is our friend you have to be smoking crack. While I am sure the majority of Chinese people are lovely people, the goals of their Government are such that companies large and small better start improving their security yesterday.

Steve Iommi chats to Todd and Tom about Somfy‘s new Tahoma system which takes home automation to the next level. It’s based round the concept of “scenes” – a scene might be “weekday-morning” which has certain set of actions, e.g. open blinds at 7.30am, whereas the “weekend-morning” opens the blinds at 8.30. With a whole a range of scenes, everything from blinds to thermostats can be controlled according to the day of the week and the activities of the owner.

As with all things these days, the Tahoma system is connected to the Internet via the homeowner’s Wifi, meaning that the owner can connect via a web browser back to the system to make any changes that might be needed, say, because of changes in the weather.

The underlying technology is the Z-Wave RF home automation wireless standard, so upgrading a home to for automation doesn’t involving lots of recabling. It’s simply a case of replacing the controllers with Z-Wave-compatible ones.

A basic Tahoma system can be professionally installed for under $2000.

Interview by Todd Cochrane of Geek News Central and Tom Newman of The Fogview Podcast.

Please Support our CES 2011 Sponsors.

Save 25% on 4GH Hosting 1yr Subscriptions Save 25% Promo Code CES2.

Todd spoke to Jason Williams from Yale Locks about their newest locks called Yale Real Living. They are introducing two models, a less expensive keypad model and a acrylic touchscreen model. The touchscreen model is activated by swiping your hand across the screen, Then you input your code and your information is sent to the Control4 system. Based on how the system is setup for your code;  you could have the lights come on, turn your TV on, wakeup your computer or anything else that is integrated into the system. Each person can have their own code and can set the system the way they want. You can program it for up to 250 users.

It can be used for both internal and external doors. Jason Williams indicated the system can send you text messages or an email from pre-programmed alerts if you want. You can set it to remotely lock and unlock doors from any web-enabled device.  Even program user access by date and time.  It is highly customizable and very secure.

Interview by Todd Cochrane of Geek News Central.

Please Support our CES 2011 Sponsors.

Save 25% on 4GH Hosting 1yr Subscriptions Save 25% Promo Code CES2.

It’s Handy Andy and Elyse Kaye from Black and Decker, showing off the iShred which is a stylish paper shredder that will fit into the decor of anyone who loves white. The iShred is the world’s “first” vertical paper shredder and it looks like an upside-down snow cone. It’s about 30″ tall.

Instead of feeding paper into the top of the shredder, it goes into the slot in the side. The paper gets collected into the wastebasket at the bottom for easy disposal of the paper. It’s cross-cut-type shredder and it can also handle credit cards.

Only $99 which is a bargain for something this good looking.

Interview by Andy McCaskey of SDR News.

Please Support our CES 2011 Sponsors.

Save 25% on 4GH Hosting 1yr Subscriptions Save 25% Promo Code CES2.

Carissa O’Brien interviews Doug from Taser and demonstrates the use of the Taser C2. We tried talking Carissa into getting tazzed but she was not up for it this year.

The Taser C2 packages start at $379 and up.

Interview by Carissa O’Brien of Geek News Central.

Please Support our CES 2011 Sponsors.

Save 25% on 4GH Hosting 1yr Subscriptions Save 25% Promo Code CES2.

Andy McCaskey invites Ian Collins of Clickfree into the booth to talk about ClickFree’s automatic backup solution. I think all of us know that we’re supposed to backup our hard drives and memory cards, but how many of us actually do it? Not many going by the number of times friends have phoned me up to see if I can undelete files or recover hard drives that have gone south.

Clickfree provide “the ultimate backup experience”, a combination of idiot-proof software and external USB harddrives which makes backing up and restoring files absolutely painless. No software is installed, it’s that easy.

And if you couldn’t even be bothered to plug in a USB drive, Clickfree have released a wireless version of their backup solution, the C3 Wireless Automatic Backup. Connect the unit to each PC, laptop (or Mac) in turn to initialise the software and settings, then simply leave it connected up to the power on a shelf and it does it’s business. 500 GB costs $179, 1 TB is $249. What price peace of mind?

Interview by Andy McCaskey of SDR News.

Please Support our CES 2011 Sponsors.

Save 25% on 4GH Hosting 1yr Subscriptions Save 25% Promo Code CES2.

Kaspersky Lab has been fighting computer malware for over 13 years and have over 300 million users adding 150,000 a week. Their newest product is called. Kypersky Pure Total Security it is a total PC protection for up to three computers. The system manages all three computers through a single PC. The security updates occur automatically in the background and all three machines are updated at once. It has total award-winning parental controls. There is a password vault that can help protect against identity theft. It can even encrypt your important documents and folders. It even has a cleanup tool to keep your system running smoothly. There is even a sandbox mode called Safe Run which allows you too open suspicious applications, Web sites or email attachments safely.  File Shredder a program which can erase your documents and files securely.

The package is $89.95 and includes a year of service to cover all three machines.

Interview by Andy McCaskey of SDR News.

Please Support our CES 2011 Sponsors.

Save 25% on 4GH Hosting 1yr Subscriptions Save 25% Promo Code CES2.