Archive for category Security

File Transfer Without Wires!

Most of us own a smartphone (w/camera) and/or a tablet (w/camera). So HOW do you transfer all those pictures to your laptop/desktop?

Do you:

A – use a “cloud service” (like dropbox)?

B – Use a memory card?

C – a usb cable

D – ????

I just found a BETTER WAY – WiFi File Transfer by smarterDroid (yep – this is an Android tool ūüėČ It comes in two “versions”: A FREE one and a paid for one ($1.40 – yes a dollar forty) the free one is limited to 5mb files.

To use it, just download from the play store (look for wifi file) to your droid device(s).. fire it up.. open a browser to the ip address:port specified and have at it.

NOTE:¬†The app is really a web server and you are connectling directly – NOT thru a “cloud service” so your data is protected.

Leave a comment

FireFox 23 will be a Game Changer w/https sites

There’s¬†an¬†option¬†in¬†FF¬†(version¬†18.0¬†and¬†up)¬†called:
security.mixed_content.block_active_content

When¬†FF¬†23¬†is¬†released¬†(20.0¬†is¬†the¬†current¬†release)¬†this¬†option¬†will¬†be¬†enabled¬†by¬†default.¬†What¬†this¬†means¬†is¬†ANY¬†“mixed”¬†https¬†page¬†will¬†NOT¬†load¬†non¬†https¬†content.

So¬†if¬†you¬†have¬†constructed¬†a¬†site¬†that¬†has¬†any¬†http¬†links¬†in¬†it¬†and¬†your¬†site¬†is¬†on¬†SSL¬†(https)¬†then¬†users will¬†experience¬†“failures”.

QUES: Is this a good thing?

ANS:¬†YES!¬†Attacks¬†using¬†“bad¬†links”¬†are¬†buried¬†in¬†https¬†sites¬†everywhere. You typically see a popup asking if you want to display the “non-https” content. When you do you take a BIG risk of infecting your system, getting hacked, etc. KUDOS to the FF team for taking this step to block non-https data by default!

I would strongly suggest you test this out NOW to make sure things will work right when FF 23 is released. Using FF 18.0 and up you simply need to:
A – key in about:config in the url/address line
B Рsearch for the key: security.mixed_content.block_active_content
C – change the value to true

 

FYI – Chrome has already made such a change (you get a warning)..

 

, , , ,

Leave a comment

IE 10 installs automatically on Windows Updates

If you have Automatic Update turned on:
” Users of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1 will receive Internet Explorer 10 as an important update if they have Automatic Updates enabled, or if they perform a manual scan for updates on Windows Update.”

NOTE: installations which use “WSUS” – Windows Server Update Services” and control the updates to their installations can easily block this. For individual PC’s NOT being managed by WSUS (most of us ūüėČ there is a “blocker kit“.

Here is the direct download: IE10-BLOCKER

, , , ,

Leave a comment

ComboFix is DANGEROUS to Sage SalesLogix and Potentially to Other Apps

We all try our best to keep systems up to date and healthy. There are TONS of tools out there which are “intended” to keep us free from malware and virus attacks. Some do.. some do not.. some cause damage – and ComboFix is one of those that causes damage.

We (as well as many other Sage SalesLogix Customers and BP’s (Business Partners)) have seen when ComboFix is run on a system that has Sage SalesLogix synchronization components/apps installed, synchronization will no longer function. Unfortunately (as of this blog post) the ONLY fix to this is a total “wipe” of the hard drive, complete OS re-install, as well as all applications. AFAIK there is NO other way to fix the problem once ComboFix has been run.

, , , , ,

Leave a comment

Sage SalesLogix Mobile Web app – hiding information from users

While in the process of developing an Asset Management application of the new SalesLogix Mobile web app, I ran into an interesting problem… users that should not see “everything” were seeing things they should not.

Specifically, when a user clicked on “Assets” he/she was getting the assets from EVERY Account in the system¬†whether¬†or not he/she had (security) access to that account. This was not good. The problem was traced very quickly to the AccountProduct (a one to many) table not having a SECCODEID (owner) field.

Short lesson: The SECCODEID field is the key to “row level” security in the SalesLogix Data Base. If it is there and has a value, the “system” automatically checks security against the current logged in user (except ADMIN) to see if he/she should have access. If not, the record is NOT returned, if ok then the record is returned.

What is important to point out is that the Account table/entity DOES have a SECCODEID. By adding:
Account/AccountName  to my querySelect
and adding:
queryWhere: ‘Account ne null’
the problem was solved. Account/AccountName in the querySelect forces the system to see the relationship between AccountProduct and Account so the Account SECCODEID “takes over”. Unfortunately I needed to handle a defect this uncovered in SData and add the queryWhere to make sure the records that “failed to pass security” did not cause a problem back in the mobile app. NOTE: Even if there was no error – it was good design/implementation practice to do so anyway.

Leave a comment

Amazon’s Kindle Fire – Is the Silk Browser a Major Security Risk?

Amazon has finally release its long awaited “iPad Killer” – Kindle Fire. BUT is the center piece of this new mobile device – the Silk Browser – a major security risk? Here is how it is architectured and why the most significant part of this may be something you want to not touch.

Traditional browsers typically get their data directly from the publishing web site(s). Yes, there is some caching at the web site level and in the browser. However, you really get it “directly”. This takes time and in a lot of cases a LOT of time.

Enter Amazon… What they have done is to re-structure the browser such that it takes advantage of their EC2 (Elastic Cloud Computing) computing powerhouse. Amazon is ON the Internet backbone.. it’s (almost) a part of it. BY using their “back-end” computing power and net bandwidth they can really speedup delivery of web pages significantly. So much that it leaves everything else in the dust and delivers a really great user experience (on a $200 device ;-). Over time “it” (the “back-end”) “learns” the user’s browsing habits and even pre-fetches pages/sites before you actually navigate there.

What does this all smack of?… you are being “tracked”.. and all the pages/sites you fetch are being “held” in the big EC2 could (in the sky). In security terms, we call this the “man in the middle”. There is a massive computing resource that sees each and every byte of data you look at.

Is this bad? – depends… depends on just what Amazon does with this info/data and just how you feel about it – or better said, if you are doing company business and running a corporate web based application – say a CRM system – then is confidential information being exposed?

Answer – we really do not know since the Kindle Fire is only available for pre-order and really has not been taken to the test – yet. Only time will tell if Amazon has built a better mouse-trap or a very bad security risk setup.

, , ,

Leave a comment

You Are Being Tracked!

By now practically everyone knows about the simple truth that some vendors (Apple, Google) have built in logging that records our every move in their smartphones. With Apple this appears to have started with the release of¬† iOS 4. This file is in CLEAR TEXT on your iPhone/iPad and looks like it’s getting “shipped” off to who knows where. The same is true w/Andriod devices.

There IS a difference between the two tracking setups – Apple’s is recording (it appears) forever… Andriod only has some recient data. They are recording and logging information that would normally require a court order by a judge by law officials. So why are they doing this? Various bloggers/respected writers have their opinions on this. One noted individual (John C. Dvorak) has his own ideas on the subject: http://www.pcmag.com/article2/0,2817,2383984,00.asp¬†.. and I agree – It cannot be anything good….

I did see several posts on the net (besides Jon Dvorak’s) where a couple of Capitol Hill lawmakers (Senator Al Franken, D-Minnesota and Rep Edward Markey, D-Massachusetts) are asking a LOT of questions about this. It may well lead to a congressional investigation (I hope ūüėČ So far they have been “stone-walled” by Apple and Google.

UPDATE: Just picked this up off the net … posted by the WSJ: Even if you turn off location services – it is still tracking you!¬†http://online.wsj.com/article/SB10001424052748704123204576283580249161342.html

UPDATE: April 28,2011: Apple has (finally) responded to all the questions about “tracking”. You can see what they have to say and make up your own mind about it:¬†http://www.apple.com/pr/library/2011/04/27location_qa.html

Leave a comment