Tag Archives: Security

Gadget Man – Episode 108 – Why we should care about what our data is used for?

Facebook MobileFollowing on from the ongoing  Facebook / Cambridge Analytica scandal, I was invited to be a guest on James Hazell’s show on BBC Radio Suffolk. We talked in depth about how social networks and apps are using our data.

Please listen in by clicking the ‘play’ button above. Don’t forget to Like, Subscribe, Comment and Share.

Continue reading Gadget Man – Episode 108 – Why we should care about what our data is used for?

Apricorn Aegis Secure Key 3z USB Drive – Move over James Bond and Ethan Hunt, this data really can self destruct in 5 seconds!

Mission Impossible : Rogue Nation - USB Memory Stick deletion scene - image credit: Paramount Pictures
Mission Impossible : Rogue Nation – USB Memory Stick deletion scene – image credit: Paramount Pictures

If you watch Mission Impossible: Rogue Nation, you will find a scene near the end of the movie where Faust (Rebecca Ferguson) hands a USB drive to her ‘handler’ Atlee (Simon McBurney), he then proceeds to surreptitiously erase the contents of the USB stick using an combination of distraction, slight of hand, a Nokia 930 smartphone and a copy of the Financial Times. Thus Faust is oblivious to the smoke and mirrors that has just taken place and continues on with her mission (should she choose to accept it!).

All of the above just seemed completely unnecessary and it was with this still in mind that I began testing and reviewing the Apricorn Aegis Secure Key 3z, a storage device which not only hardware encrypts your data but also includes a self destruct option for those most inconvenient moments when your only option is to completely destroy the data!

The majority of disk encryption is at software level which means that you can access the information, but it is in effect ‘scrambled’ using a password or code. Try enough times using either brute force or dictionary attempts and you may just crack the key and thus give yourself access to the information.

Gadget Man Reviews the Aegis Secure Key 3z
Additional technology is simply not required to secure your data with the Aegis Secure Key 3z

The Secure Key 3z uses a hardware based encryption, namely 256-bit AES XTS. AES is an acronym for “Advanced Encryption Standard”, originally invented in 2001 as the “Rijndael Cypher” after it’s creators Daemen and Rijmen. AES is a widely used encryption standard able to be resilient against attacks. It is in fact so highly respected, it has become to ‘go to’ encryption method for security agencies, banks and governments to trust it with their highly sensitive information and state secrets. The 3z uses 256 bit encryption, which gives a hundred thousand billion billion billion billion billion billion billion billion combinations of keys. With the further addition of the XTS cypher, it renders data stored on the device effectively impossible to access or decrypt.

Gadget Man Reviews the Aegis Secure Key 3zOut of the box, the Secure Key measures in at 81mm x 18.4mm x 9.5mm and weight 22 grams and has an internal rechargeable battery. Once unpacked, you will need to set up your Admin pin number straightaway as there is no pre-programmed key. This must be between 7 and 16 digits, you cannot set consecutive numbers or numbers which are all the same, this pin is users to set up the Secure Key allows to to manage other features, but more of that later.

As soon a you’ve added your admin user, you can then (if you like) add a standard user. You would use this feature if you were going to manage the Secure Key and were going to issue it to another person to use. Again, this is a fairly straightforward and covered in the ‘quick start guide’.

Gadget Man Reviews the Aegis Secure Key 3z
In its locked state, the Secure Key is is not recognised when plugged into a PC, Mac or mobile device

Whilst locked, the USB is effectively useless, plug it into a computer’s USB port and you will find the computer won’t even recognise the device as it is hardware disabled, in other words it’s switched off. This is indicated by a ‘red’ led illuminating on the device. To unlock the device, you press the green padlock key and then enter either the user or admin pin number and press the green padlock again. The red LED will switch off and the green LED starts flashing, this indicates that device is unlocked and ready for use, it is simply a matter of plugging it in to a spare USB port.

The Aegis Secure Key’s FIPS 140-2 validation covers 11 areas of its cryptographic security system, including physical security, cryptographic key management and design integrity.
The Aegis Secure Key’s FIPS 140-2 validation covers 11 areas of its cryptographic security system, including physical security, cryptographic key management and design integrity.

The key itself is USB3.1 but is backwardly compatible to v3, v2 and v1.1. This gives it a surprising turn of speed of  to 190MB/s read and 80MB/s write.

OK, so the key performs really nicely and had government grade encryption, what happens if I lose the key and it gets into the hands of an enemy?

Apricorn Aegis Secure Key 3z
Apricorn Aegis Secure Key 3z

First off, the key is encased in a IP58 Dust and Water Resistant tough metal shell with polymer coated wear resistant keys. Inside the electronic components are protected by a filling of hard epoxy resin, making a physical attempt to access the electronics virtually impossible without causing catastrophic damage.

PIN entry ‘brute force’ protection means that if you enter the code number incorrectly more than 3 times, the space between entry of subsequent pins slows down, if the incorrect entry of keys hits 10, the red light on the key will start flashing rapidly, at this point you have 10 more attempts left, if you fail to enter a correct pin within these last attempts, the key will consider itself as under attack and will delete it’s data as a precaution.

Apricorn Aegis Secure Key 3zShould you be left in the position of Faust and Atlee in Mission Impossible : Rogue Nation, there is in fact a better option for destroying the data on the card (or in fact having a third party do it for you). Yes, the Secure Key supports the entry of a self destruct key, a key which is designed to delete all data on the key and reformat the device, this key is then assumed as the standard key for the device and it will behave as a brand new drive.

It was quite fiddly to set up, but I was successful in testing the ‘Self Destruct’ mode, it worked as documented and didn’t give me any indication that it was taking place.

Apricorn have made a very solid product with the Secure Key 3z, it looks and feels the part, it worked very well and the security features were exceptional.

I loved the fact that a company is working SO hard to make the theft of data so difficult. In times of cross border data theft, the counter-measures employed by the Secure Key 3z are both impressive and comforting.

Matt Porter
The Gadget Man

Starting at £74 for the 8GB to £228 for 128GB models, the USB Storage Key is reassuringly priced for the corporate market.

 

Samsung isn’t listening to your private conversations after all

There’s been quite a lot of coverage in the UK media overnight regarding the supposed ability for Samsung Smart TV’s to listen in to our private conversations. It all makes great headlines I guess, but after being prompted to comment on BBC Radio Suffolk about the story, we decided to look into the matter a bit more closely.

The story was originally brought to the media’s attention after publication on the online news site The Daily Beast (view) which highlights a particular portion of the Smart TV Privacy Policy (view). The specific section states (important bit in bold):

  1. Voice Recognition
    1. You can control your SmartTV, and use many of its features, with voice commands.
    2. If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.
    3. If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands. While Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it.
    4. You may disable Voice Recognition data collection at any time by visiting the “settings” menu. However, this may prevent you from using all of the Voice Recognition features.

Again, we looked into the technology behind the TV and found the that these specific Smart TV’s work in two modes of operations

1) The viewer can operate basic features of the TV by saying ‘Hi TV’ out loud. The TV wakes up and can be told to “Change Channel”, “Volume Up” etc. These commands are very basic and no online communication takes place at all.

2) This mode of operation can only be triggered by depressing the ‘Mic’ button on the remote control. whilst depressed, the view can ask natural language questions such as ‘What shall I watch tonight?’. It is at this point that your words are being recorded, when you finish talking those words are transmitted securely to third party natural language translation company Nuance (You might have heard of Nuance as they make the very popular dictation software Dragon Naturally Speaking). Upon arrival at Nuance’s servers, the spoken phrase in converted to text, the recording discarded and the text returned back to the TV for processing. Using a 3rd party means that the accuracy of the translation is much higher and less errors are likely to come about due to difference accents or dialects being used.

So, put simply. Unless someone with very advanced decryption abilities is permanently listening in to your internet connection on the vain hope that you might (whilst asking your TV to find you something to watch) divulge some deeply private secret, the chances of any kind of security breach is very low indeed.

I contacted Samsung for comment and a spokesperson issued the following statement:-

Samsung takes consumer privacy very seriously and our products are designed with privacy in mind. We employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.

Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. Should consumers enable the voice recognition capability, the voice data consists of TV commands, or search sentences, only. Users can easily recognize if the voice recognition feature is activated because a microphone icon appears on the screen.

If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search to execute the command. At that time, the voice data is sent to a server, which searches for the requested content then returns the desired content to the TV.

Samsung encourages consumers to contact the company directly with any product concerns or questions.

So, should we be concerned? Well, yes we should always be concerned about our privacy and where possible take every step we see fit to ensure it is maintained. We are at constant threat of having our privacy interfered with under the veil of protection by companies and possibly governments, so we should shown caution.

However, an obvious legal statement to protect a manufacturer from litigation is perfectly acceptable in our over litigious world and I think in this case, it has been taken out of context.

I would be very interested in what you think, so please feel free to comment as you see fit.

The Gadget Man Special – Securing your Smart Phone

This morning we very briefly discussed securing your mobile device, so in the event of it getting into the hands of a thief, the information stored on the device is safe and it is sufficiently locked down to make it nearly valueless.

Listen in to the stream above and below you will find some useful tips to help you keep your phone and data safe.

The most important points raised were:-

  1. Switch on the pin-code or similar security feature on your phone
  2. If possible set the phone to encrypt your data to this pin-code
  3. Don’t save passwords in web browsers on your phone
  4. Make sure you log out of websites after purchasing items on your phone.
  5. Enable ‘Find my phone’ or similar functionality, this will enable you to remotely ‘brick’ your phone if you have it stolen.
  6. Don’t wave it around in public places.
  7. Make SURE you have adequate insurance to cover the replacement of the phone and other ‘expenses’.

If you are unlucky enough to have your phone stolen, you should immediately:-

  1. Contact your phone provider, do this before anything else as you won’t have to pay call charges made after you have reported it stolen or lost.
  2. Contact the police and get a crime number, this will make insurance claims easier(!).
  3. Log into your ‘Find my phone’ on a computer and see if you can track where the phone is.  If you can’t find it or there is no chance of retrieving it, disable it (brick it) straightaway. This makes it nearly useless on the black market and it will only be used for parts.
  4. Take steps for the first set of points, so this doesn’t happen again!!

Useful links to help you ‘lock down’ your device.

10 tips to make your phone more secure

10 ways to secure your smartphone

What to do if your phone is stolen (via Apple)

If you have any tips for making your phone more secure, let us know!!

 

App of the Week – 14th April 2014 – PasswordBox

This week we concentrate on internet security and choosing strong passwords, featuring PasswordBox for mobile and desktop.