Sunday, December 27, 2009

SmartSwipe (and HomeATM)- A Very Smart Tool For The Cautious Online Shopper

I hadn't heard of this device until I was leafing through the Hammacher Schlemmer catalog tonight and the claim of a credit card reader that you plug in to your USB port that will read your credit card and encrypt the card info, and insert it into the browser, pre-encrypted, to be securely transmitted to any online store without ever passing the unencrypted data to the user's computer caught my attention.

The device is the SmartSwipe by Canadian company NetSecure.

I had a hard time believing that what the catalog was claiming was possible, but then after reading the white-paper on it at the SmartSwipe site I think it's incredibly smart. With this device installed, it's driver is used by the web browser as an encryption engine. The browser (for now it only works with IE) passes off the unencrypted form to the device, which inserts the creditcard data into the form an encrypts the page before passing it back to the browser to transmit to the store website. The device does the encryption, not the browser, so since the card scanning and encryption are done outside the computer, there is no unencrypted data for spyware running on the user's PC to read.

Normally, if you typed it in yourself, there are a number of places where spyware or keyloggers could grab the unencrypted data before the browser gets a chance to encrypt it to pass it securely over the net to the store.

This way the spyware would have to be running on the card reader (which for now anyway, isn't an issue, no one has written spyware that runs in the external card reader) so, it is safe from all the current spyware until it gets to the store's end of the chain.

These are very nice, and I hope that they manage to work deals with the major manufacturers to install these, or better yet, a next generation chip and pin version directly into new PCs.

The SmartSwipe is probably not the only such device out there, the technology to look for if you find another device like it is called Dynamic SSL. I believe Dynamic SSL is the future for secure online shopping. 

For a little company from Saskatchewan, they certainly have made inroads with this device being carried by Costco, Futureshop, Dell and Amazon already, and it only works with 32 bit Internet Explorer so far. Once it works with other browsers it'll probably become a commonplace tool for regular internet shoppers.

[Ed note: Only a few hours after the initial post which mentioned only SmartSwipe, a sales person from Home ATM posted a comment. Therefore I have changed the title to reflect that. Having read the website at I cannot say for sure how the HomeATM works, but I am really disappointed in the video demo that they use to show how secure it is. The fault in the video isn't really with the device itself, but the method that Western Union used to send the money that was taken from his account to the recipient.

Sure, it was securely transferred from his account to Western Union, but then Western Union sent an unencrypted e-mail to a Gmail account with a web link and all the details including a password needed to retrieve the funds. Anyone who could intercept that e-mail could take the money before it got to the recipient. Sure, then it is securely transferred to the hacker's account from Western Union, but the intended recipient is left with nothing.

It is not the device's fault how Western Union chose to implement the transfer, what W.U. should have done was what the Canadian banks on the Interac system do and have the user create a password that they tell the recipient OUT OF BAND so that an intercepted e-mail transfer is still secured by a password that is not known to the intercepting bad guy. It is a poor marketing choice to use a video of a system with such an obvious security problem to demonstrate a security device.

The biggest problem I see with the device itself, aside from being a magstripe and PIN device as opposed to Chip and PIN (which I'm sure will be the next version) is that there doesn't seem to be any way to actually get one.]

Friday, December 18, 2009

New Adobe Reader Vunerability

Adobe Acrobat has another newly discovered 0 day vulnerability.

As usual the fix is to disable JavaScript in Acrobat Reader. Adobe won't have a patch out till Jan 12.
If you have to do it network wide follow the instructions from this post I did back in October to do it via logon scripts.

Upgrade to 9.2 even though it is technically vulnerable, if you turn off JavaScript (which you should do even after the patch is out) 9.2 will let you enable JavaScript on a document by document basis as needed. (usually it is NOT necessary)

Monday, December 14, 2009

Xmas Gifts For Techies 2009

Ok, it's already Dec 14, you only have 10 days of Xmas shopping left. If you haven't already got a big gift for your resident techie, here are a few ideas:

1. PS3 slim. One of the first posts on this blog back in 2006 was the PS3 line watch. Back then I was drooling with anticipation of the upcoming PS3. I bought one in the summer of 2007 because I was stuck at home all day for a few months because of a car accident. ...even back then with hardly any games available it was fun. The new slim version is out now for this Xmas season. It doesn't play PS2 games anymore, and only plays PS1 games if you download them from the online store (about $6 each) but there are lots of PS3 games and bluray movies out now so that's not much of an issue, and if it is, you can always pick up a PS2 slim to go with it for peanuts.

2. Drobo. Every techie needs more disk space... constantly. Drobo will manage it all by itself. You just stick a disk in, when you need more space you stick in another disk, when you need more, stick in another. when you run out of slots to stick disks into you pull out the smallest disk and stick a bigger one in in it's place. No config, no copying files around, it takes care of it all for you.

3. ReadyNAS. For the techie that has more stringent requirements for his/her data storage, ReadyNAS is like Drobo on steroids.

4.Amazon's Kindle e-book reader. For a geek or a book lover (or a geeky book lover) this is a great gift idea. It stores and displays (in black and white) books and magazines bought through Amazon or downloaded as PDF. It has a rechargeable battery, but it only needs to be charged about once a week, even when the wireless is left on all the time. You can go much longer than that if you remember to turn off the wireless connection when you aren't actually downloading a new book.

Network Vulnerability Scanners

Back in September I mentioned that GFI LanGuard was available for free for small companies or home use where you only needed to scan 5 PCs.

One other option that has come up since then is the new much easier to use web-based Nessus 4.2.

Nessus has always been free for home users, but now I feel that it's easy enough for most home users to set up. It comes in a windows version, and there is only the server end to set up now, everything else is done through a browser.

Unfortunately the Pro version of Nessus is a little pricey for the average small business at $1200 per year, but you can hire a pro, like me, to come in and scan your network on a regular basis with this tool for probably a fair bit less than that. (pro licenses are not tied to a physical network, but limited to one machine... so if that machine is a laptop, a pro feed license can go wherever the security contractor takes it.)

Rapid 7 has also recently released NeXpose Community Edition, which I have yet to try out, but is free to use for a network of up to 32 PCs, and there is the open source OpenVAS, which was spun off from Nessus back at version 2, when Nessus was still an open source project. These 2 options I suspect would be more difficult to get up and running than the first two, as they are really aimed at folks with a high level of tech knowledge. NeXpose comes in several other versions for varying levels of additional features, and larger networks, but it is more expensive than the Nessus Pro feed, so very much out of the reach of the average small business or home user, but the Community edition is supposed to be very good, and I'll be playing around with it in the next few weeks and I will let you all know what I think.

No matter which you choose, scanning your network, especially for business networks, is an important part of keeping your network secure. If you don't scan it to find the holes in your security, someone else will, and they probably won't point out the holes to you, they'll probably just use those holes in ways you don't want them to.

One other option, from the folks at Rapid 7 is the free online scan. You can scan 2 IP addresses for free from the internet at This should give you an idea of how exposed your servers that are attached to the internet are. This will only scan public Internet IP addresses. It is probably best to get a local scanner set up or hire a pro to come in and scan the private address space as well, especially if you use wireless.

Friday, December 11, 2009

Making E-mail Private

Ok, hopefully some folks read and made use of my previous post on using SSL in Gmail.
If you didn't and you use Gmail, go read it now. It only takes about 10 minutes to read and another 10 minutes to implement.

Now, I have to wonder why is it that people never seem to care enough about privacy to encrypt e-mails?

Sure, for some it's a matter of not knowing you CAN encrypt, for others it's a not knowing HOW to do it... but it seems the biggest thing is an aversion to using passwords.

I have a 30 character password that I type in whenever I want to encrypt or digitally sign an e-mail. Most people would not go to such an extreme, but even a 6 or 8 character password with PGP or GnuPG that you only had to type once per mail session, when you first open your mail program or when you send the first message that day, would afford a lot more privacy and ensure that mail you think is from friend X isn't really from stranger Y pretending to be friend X.

How many people have had an e-mail come to them apparently from a friend that turned out to be spam, or worse, a virus? ...or even a roommate playing a practical joke on the supposed sender? PGP/GPG would solve that. I've been using this technology on an off (and recently more and more) for years, but surprisingly few others I know use it. I could understand if it were like S/MIME encryption that requires a yearly fee for a certificate, but PGP is free. All it takes is a little bit of effort to get started then you can stop sending love letters and secret passwords and Grandma's secret family recipes on the electronic equivalent of postcards and start mailing things in e-envelopes. (strong e-envelopes).

If anyone reading this is thinking "hey, I should do that, but it's too hard" e-mail me and I'll help you get started. ...just don't get discouraged if Microsoft and I are the only ones who even send you signed e-mails for a while. It's something that will take time to catch on amongst your friends, and that many people won't ever bother with....some folks will always think that secret codes are only for spies and criminals, but if you don't try to protect your privacy, who will?

Rod MacPherson
My PGP key

"Spacebook" Security Lessons In The Form Of A Comic