Blog

This is the Blog of the technical experts at GEN and its companies

Apple Wi-Fi Assist and Mobile Data Charges

Today at the HelpDesk we were dealing with a corporate customer who was experiencing HIGH mobile data charges and wasn't able to pin down the cause. We had a pretty good idea of the cause and this was confirmed when we took a look at one of the mobile handsets with high usage. In IOS 10 Apple introduced a new 'feature' called Wi-Fi Assist which is supposted to increase mobile data reliability for customers with poor wifi, which is great, but the issue is that even if you make sure you only use traffic intensive App's like YouTube etc when your on wifi, with WiFi Assist enabled the device can and will use mobile data (without telling you) if your wifi signal becomes weak, and that's ok if you have an unlimited data plan but we all know those don't exist in any form. 

Turning it off is easy if you can find it, go into setting, then mobile data (towards the top) then scroll all the way down to the bottom and there is it. in the example below, Wi-Fi Assist had assisted us to use 478K of mobile data whilst we were on Wifi. Whilst your in the screen and have turned off Wi-Fi Assist then its worth having a look through the apps listed to make sure you've allowed/denied mobile data as needed. 

Continue reading
  0 Comments

Copyright

© (c) 2016 GEN Partnership, E&OE

0 Comments

Just Don't

I've just returned from a new customer who has experienced a serious data breach and the ensuing blackmail and extortion that follows. We were introduced to this customer by recommendation after they were contacted by an unknown third party asking for money to return their confidential data and of course supplying proof in the form of attachments. The nature of the clients business is such that the confidential data, if in the wrong hands would present a significant risk to the business hence our involvement. So, not wanting to name any particular company, the previous 'supplier' of our new clients IT seemingly had no idea about security and probably wouldn't know a risk assessment if it hit them in the face and that annoys me, not only because we come across this situation on a very regular basis but because there's really no excuse for putting a companies very existence at risk by simply not understanding the sector in which you operate. In any industry there will always be suppliers who know the industry and those who don't but in IT the actions of one supplier can very literally mean the end of their customers business as potentially in the case that prompted this article. 

Start with this question, what is your data worth to someone else? If you sell washing machine spares, then its worth money to your competitors and the pain will be felt gradually as you loose customers for unknown reasons, but if your a solicitors, a financial organisation, a doctors, the value of the data goes far beyond its monetary value, there's the exposure, the embarrassment and the compensation that would ensue along with sanctions from regulators and so on. 

So, I will try my best to educate customers in what is and is not a good idea when considering IT and security. I have a list which isn't exhaustive but certainly covers some of the main issues...

  • If you have an internet connection, NEVER EVER under ANY circumstances connect a cheap Chinese router to your LAN. So if for example you have an internet service from BT and they supply you a cheap Huawei router, then never connect that directly to your LAN, just don't. These devices are cheap as chips and have about as much security as a paper bag. They are easily compromised, have absolutely no outbound security and their firewall is laughable, but they aren't supposed to be connected directly to your lan in most cases they are 'residential' quality and as a business your expected to understand the risks and mitigate them by either replacing them with a competent router or simply connect them to a separate security appliance. But trust me on this, just don't connect it to the lan, ever. 
  • Local services, and more specifically if you have a local (in your business) web server, or email server, then under no circumstances allow it to be connected to the internet directly. This is bad on so many levels, many of which are quite technical, but the key point here is that *IF* you allow it to be connected directly to the internet, then you have of course got to allow the internet into your network as communication is a two way process. This is the very attack vector (method of the data breach) that was used in the incident that prompted this article. The clients 'IT' supplied setup Microsoft exchange on a server and then opened ports on the cheap router which was directly connected to the LAN. The server was quickly compromised and whilst it was used to originate spam the hackers also vectored out from there to the company's NAS and downloaded the entire thing, how? well because the administrative account on the exchange server was the same account/password as the admin account on the NAS - seriously.
  • Never rely on free or bundled antivirus, and never on 'windows defender', they DO NOT STOP ANYTHING. A good antivirus solution will protect your network and its endpoints to a degree, but it can never be 100% no matter how much you spend. Our AV solution comes out at £2 per month per machine and includes support should you experience a virus event and require it which is also an important provision. But be aware that an antivirus solution will not protect you from poorly designed, poorly implemented network security. 
  • Never rely on the poorly implemented and weak VPN services built into cheap routers, just don't. PPTP is so weak it should be considered unusable. There are far better solutions for VPN and having a dedicated vpn appliance, or having it combined with your security appliance is the best option. Better still is to use a secure access service such as SAS or Juniper SA etc. 
  • Never install applications such as teamviewer, radmin, vnc etc, these applications will create tunnels through your weak firewall to the internet which are persistent (always there) and these can easily lead to additional attack vectors especially when combined with social engineering techniques. A good firewall will not even let these programs run and block them by default. If you do need remote access then use a secure VPN method as above. 
  • Wireless, when setup correctly can be very useful, but when setup poorly presents a significant risk to the business. This is of course because wifi isn't just in your office, its outside in the street, next door, other floors and cheaper wifi equipment has flaws that can be exploited to determine the wifi password and associate with the access point. Even more effective are social engineering techniques to gain a wifi password, and of course there's always Microsoft's wifi sense password sharing endeavour which we talked about before. So stick with high end Wifi access points, have centralised management and oversight, use WPA2 with TKIP or AES encryption and use mac based security as a second level of protection. 
  • Ports or not Ports; Almost all businesses have Category 3, 5, 7 or 8 cabling throughout, and these terminate at the wall with RJ45 jacks and that's great because this is where you plug your computers and phones into, but managing the availability and security of these jack points is a critical concern. Consider this scenario.... a business has cat5 throughout the offices including reception, canteen, locker room etc. A person pretending to be a potential customer enters the premises and whilst no one is paying attention plugs a small device no bigger than a thumb drive into a vacant cat5 port then leaves. You might think that'll never happen but I can tell you in the IS audits we do for our clients it HAS happened and will continue to happen. The device that is connected is a small battery powered wifi access point that doesn't broadcast its SSID (network name). With this the 'visitor' can, from the car park find a local IP address, and then initiate a network scan for services such as email, files and so on. With a little effort and some automated software a selection of attacks can be performed and if successful, systems and data compromised. The nice person who perpetrated this crime will then upload some software which opens a connection through your firewall to a remote server and waits for instructions. Everything from here onwards can be done from anywhere in the world and there is very little anyone can do to track this down. This is becoming an effective attack vector and awareness is the key. Don't have any ports live that don't need to be, have managed switches and allow lists by mac and some form of intrusion detection either in the security appliance or separate. 

The bottom line here is that any IT infrastructure should not in any way directly connect the public internet to your local network and likewise your local network should never directly connect to the public internet. This one is simple.

More challenging is making staff aware of vulnerabilities in your infrastructure and how to detect, and deal with them. We've touched on social engineering above but this is becoming more and more common and whereas you might be very good at spotting spam or fishing email's, suspect phone calls from 'it support', or are aware of the possibility of rogue devices and subversion, is everyone in your organisation?  in this modern world they need to be, through both training and auditing. No matter how secure your network is, with its expensive firewalls and security appliances, it only takes one member of staff to bring the whole thing crashing down - Staff are and will always be the biggest risk to any organisation, but trust me on the crappy router. 

Continue reading
  0 Comments

Copyright

© (c) 2016 GEN

0 Comments

Windows 10 and Wifi Sense

Windows 10 and Wifi Sense

Windows 10 has a lot of additional features over previous versions and most are safe enough, but a few stand out as being a little dangerous. Wifi Sense is one of those because it doesn't clearly explain the ramifications of setting it to the end user. Microsoft describe Wifi Sense as "WiFi Sense automatically connects you to WiFi, so that you can get online quickly in more places. It can connect you to open WiFi hotspots it knows about via crowdsourcing, or to WiFi networks your contacts have shared with you by using WiFi Sense."

Sounds great! if your out and about your laptop or phone will automatically connect to wifi that has been shared by 'crowdsourcing' without even telling you. So why is that bad? 

Well its bad on many levels, and I'm going to try and be as non-technical as possible here so as to benefit as many readers as possible....

  • Firstly, automatically connecting to anything is bad except for your trusted wifi in your home and/or office. This is because malicious individuals could setup a wifi hotspot, leave it without WEP or WPA (i.e. no password needed) and then wait for unsuspecting people to connect to it at which point a crafted attack is performed at your device. If passwords are being shared between these hotspots and many microsoft devices then everyone who passes is at risk. You should always be careful when connecting to wifi especially from a Windows Phone or Computer. 
  • Wifi Passwords are there for a reason; to limit access to the wifi network to those who know the password. Wifi Sense, as described by Microsoft will "Automatically connect you to WiFi networks that your Facebook friends, Outlook.com contacts or Skype contacts have shared with you after you've shared at least one network with your contacts.". So, that means that if, by chance you have not disabled "Share network with my contacts" which is found in Settings > Network & Internet > WiFi > Manage WiFi settings, then your home and office wifi passwords are shared with all your facebook friends and contacts. That is bad for so many reasons, but here's a few; Firstly do you really want everyone on your facebook friends list having your personal Wifi Password and being able to connect to your personal Wifi network at home remembering that your personal wifi network at home is treated as your local area network and is trusted? Wose still do you want your social media contacts and email contacts having the company Wifi password to access that at will? I don't think anyone does, but that's what's going to happen unless you disable this feature. 
  • Did you know that Wifi Sense also captures your GPS location as well as your wifi password? How save is this data that your sharing? Where is it stored and how is it shared? Consider the potential risk of having that data compromised and revealing the wifi passwords of millions of users worldwide, that alone should be enough to turn this feature off. 

So its up to you, as users to make your own deicision on how this goes down, all I can do is point out the risks and leave it with you. Microsoft have a FAQ on the subject which I recommend reading for additional information. 

To Disable Wifi Sense follow the instructions found HERE. Remember, even if YOU disable it and then let someone you know have access who has NOT disabled it then there is a possibility of your Wifi Password being shared, so check with everyone who give access to that they have also disabled WifiSense. If you are still worried then you can change your SSID to something followed by _optout as per the Microsoft FAQ but that seems a little extreme unless you have already shared your Wifi Password unknowingly with the world in which case change both the SSID AND WIFI Password once you've disabled WifiSense. 

You may also want to consider disabling location tracking by following the instructions HERE

 

Continue reading
  0 Comments

Copyright

© (c) 2016 E&OE

0 Comments

Today at the Helpdesk - ITV Player

A Customer raised a ticket at the HelpDesk today complaining that their ITV player was no longer working correctly and giving strange messages. We asked for a screenshot and received it minutes later. The screen show indicated that 'Ad Block Software detected' which peaked our attention and so we investigated further. 

Now ITV Player is one of the few remaining companies still using Adobe Flash Player to stream movies despite there being much better transports available (like HTML5 etc) and flash gives us a number of problems here because (a) shockwave/flash is blocked by default at the firewall (as it is for all our customers of officeGateway), and (b) none of our workstations have flash installed as its a high security risk. Anyhow after some faffing about we managed to get the adobe flash demo page to work and then switched on over to ITV player. 

After selecting a program to watch, the usual unclean and tatty flash player window is displayed, and we click the big > in the middle to play. Immediately we're given 5 minutes of adverts to watch before we can do anything else like FF/REW etc. Then after the 5 minutes of ad's we're onto the programmes introduction for another 2 minutes and then finally the show begins. Now at this point we followed the EU's reported behaviour of fast forwarding to the second segment of the show, and doing this means that again we have to watch another 5 minutes of adverts, and then on the last advert....

Perfect, we can reproduce the issue in a freshly installed (today) system of Safari 9.1 on OSX 11 with definitely no ad block software installed. After this rather abrupt message the player is dead and you have to refresh the page and whilst the option to 'Resume' is offered it does nothing except start from the beginning again meaning... watch another 5 minutes of adverts, FF then watch another 5 minutes of adverts and finally get to the segment you need to watch, but on our second try we got something else...

And yet again, flash player is dead and we've got to reload the page, another 5 + 5 = 10 minutes of the same pointless adverts and then the show plays just fine. We shuffle back and fourth several times after this and it seems to play everything just fine, we even left it playing in the background and it got through another two episodes before the 'Ad Block Software detected' message truncated our viewing enjoyment. So, being 'flash' which is so easily reversed we downloaded the SWF file and took a look at the cause of these spurious and erroneous messages. 

Looking at the code(scripts) within the SWF file it would appear that the ad block software message is triggered when a HTTP request fails, but that wouldn't necessarily mean its ad block software would it? In our short tests today the player has shown itself to be far less than reliable on a fresh install of OSX and if all it takes is a HTTP error to cause it all to come crashing down then someone really should sort that out. Whilst we were in the code we did notice a significant level of logging and auditing taking place that I'm fairly sure no one knows is happening but that's another story for another day.

For effective Ad Blocking with this shockingly poor flash setup it would be much easier to redirect the SWF request to a crippled SWF (or decompiled/recompiled) with the ad's removed. If, on the other hand someone actually wanted to add in 'Ad blocking' software detection then doing it within HTML5 would be far simpler with some client side js/java passing a token back to a server somewhere then a reliable solution is to be had. Of course, once you've spent a few £££ on that solution then ad block software vendors will find a way around it by trashing your client side js so one has to wonder if the battle is even worth the expense? In ITV's case I strongly suspect their spurious 'Ad Block Software detected' message simply serves as a catalyst for the viewer to hit google and discover that Ad Block software does exist and how to download and install it. I suppose its a little like "thepiratebay" that virtually no one had ever heard of until some muppet decided to sue them and then suddenly the whole world knew about it and sites like it and moreover how to get around all the worthless 'blocks' that ISP's were forced to setup by clueless judges. 

So back to the ticket in question, we couldn't of course fix ITV's failures to provide a stable service but the whole idea of 'Ad Block Software' gave us another avenue to explore - Ad Block Software! We searched the internet and found several solutions all promising to remove all ad's and thought we should give them a try. I'm going to go ahead and call these Program 1, 2 and 3 and not give out the actual names of the software as I don't want to encourage anyone to install software that's not been fully certified as safe but if you have the knowledge then google/bing is your friend. 

  1. Program 1 is open source, freely available and seems to have a fairly active github repository and once installed we found it did indeed block some ad's but not ITV's. It didn't however increase the incidence of the erroneous "Ad Block Software detected" message and in fact it seems to occur less often with it installed but that may be coincidental. So we uninstalled that and moved on to...
  2. Program 2 is closed source but freely available and seems well supported. We installed it without issue and again it did stop some ad's from some 'other' websites but for ITV player it stopped it working altogether. We found that we could specify various options to make it work again but we still got ad's and the erroneous message still appeared from time to time but no more than with nothing installed. So uninstall and move on to...
  3. Program 3 is closed source and not free but we did managed to acquire a temporary licence from the vendor for our testing, this installed without issue and finally our ITV player was advert free and without any 'Ad Block Software detected' message either. With a little more investigation into the settings it was clear that this plug-in was operating at a much lower level than Program 1 & 2. 

So, in summary, the message is in error and it clearly only serves to annoy potential viewers but when you look at the whole ITV player setup, being forced to watch 10 minutes of adverts, that's 40 minutes per hour is in itself going to alienate customers especially if they are just the same ad's over and over again which is what we observed. I personally think YouTube has the balance about right (and I'm rarely one to support Google) with its skippable adverts which means that if I'm not interested then I'm not forced to watch it all, but on the other hand it means that the adverts that do interest me I can watch in full and I do watch some in full just in case anyone wondered. 

This article is a technical article and the content is solely the opinion of the author and not the company. E&OE. Neither the author nor the company has any interest in ITV, its player or any solution designed to remove advertising and does not recommend you do or do not install any such solution. 

Follow up

So, the same customer contacted us again today via the HelpDesk to tell us that ITV Player was now not working at all and instead was saying "ITV Hub is only available to viewers in the UK" as below:

Whilst its mildly entertaining that ITV seem to think that Reading, Berkshire is not in the UK that is in fact the location of our customer. We did check the RIPE whois on the IP subnet used by our customer and it was indeed located in the UK so this is clearly just another ITV error. We simply advised that they contact This email address is being protected from spambots. You need JavaScript enabled to view it. as instructed because the only people who can fix this are ITV. 

 

 

Continue reading
  1 Comment

Copyright

© (c) 2016 GEN

Recent comment in this post
Guest — LJM
ITV Player has always been a substandard piece of trash. Requiring logins, requiring ad-blockers to be removed when they aren't e... Read More
Friday, 13 January 2017 14:15
1 Comment

Web Harvesting, List building and how to avoid it

Today at Technical Support

One of our customers raised a ticket at the HelpDesk complaining of telemarketing calls on his managed VoIP telephony system. Some technical analysis later proved that the incoming calls were genuine calls and there was no security issue around the platform. The customer disclosed that his email was also inundated with spam which started around the same time and this points us to a completely different cause. During the next few updates and phone calls the customer disclosed that he'd recently had their website redesigned and paid for some form of 'marketing'. 

Taking a quick look at the website it was clear to see why they were suddenly victims of a spam attack; The website, although very pretty had their phone number (actually three of their phone numbers) in plain text on their contact form and again on their about page. Additionally, their email address was hard coded into the contact form. 

A quick web search using our favourite search engine of their telephone numbers showed them appearing in 192.com, yell.com, and various other 'indexes' that no one ever uses anymore in one form or another. This was apparently the 'marketing' they had paid for. 

Web Harvesting

Its fairly easy to write a program that will load a web page and save the contents to disk. Its fairly easy to take said contents and search through it for email addresses and telephone numbers. Now, imagine that same program started at google uk with a search for "engineering" and then just spidered (followed every link) saving the contents and then searching for email and phone numbers. That's exactly what web harvesting is, and spammers use it all the time to compile and sell lists of phone and email addresses to other spammers. 

So how do you prevent your contact information being harvested? 

Its actually as simple as you'd expect. Do not under any circumstances put your email address or telephone number on your website - ever. In days gone by we were able to put the telephone number in an image and obscure it that way, but with modern OCR systems like tesseract even that no longer works.

If you really absolutely must have your telephone number on your website then we can shield it by formatting it in such a way that simple searches won't see it (such as breaking it up into several parts and then having each part in a separate DIV/P)  or we can hide it behind a server side request using a captcha but both these options serve to confuse potential customers and does it give any benefit? Maybe from programatic web harvesting, but it won't stop list builders from Asia. 

List Builders from the far east? 

Yep, so qualified list's can be purchased for not a great deal of money from certain companies that do not use programatic based harvesting, but instead have a room full of staff who use search engines, find companies, and then compile lists. An example would be if you wanted a list of dentists in the south east then for a few hundred dollars your custom list can be provided. Its not going to be perfect, but the accuracy is going to be much better than web harvesting because someone has actually done some research. 

Is it legal? Yep it sure is as all the legislation to date only protects individuals and not businesses, and besides even the current legislation is next to worthless given the global nature of the internet. 

Contactless Contact 

Contact forms without contact information? Sounds like trouble to me, but in fact it isn't as a well designed and fast contact form will usually do the trick just fine. If you want that instant response then consider an inline chat system like tawk.to. 

But what about Google Places for Business, or Bings equivalent ? 

In order to have your business listed in either then you need to have a phone number, but it doesn't have to be geographic and it doesn't even have to work. We're listed in both of course but we've listed a non-geographic (08700) number which plays a message to say head on over to the website and that works just fine given that we get almost no traffic from the number over the year. 

 

 

Continue reading
  0 Comments

Copyright

© (c) 2016 GEN

0 Comments

How to completely Remove OneDrive from Windows 10

OneDrive comes installed with windows 10, and whilst some may trust Microsoft with their personal, corporate and confidential data, I'm not one of those. So I want it gone and that's gone from windows explorer, gone from the task bar and just generally not there anymore. 

So firstly, open up a command prompt. This can be done by pressing the Windows Key + R and type CMD or by typing CMD into the I'm cortana box by the start button and select cmd/Run Command or by going to Start /All Apps / Windows System / Command Prompt. You should wind up with a black box and some text in it saying something like "Microsoft Windows [Version 10.0.10586]" and so on. 

Now with any luck its going to leave you with

C:\WINDOWS\system32>

If not then do one of the following depending on whether your running 32bit or 64bit windows 10. 

32Bit: Type cd \windows\sysWOW64

64Bit: Type cd \windows\system32

Now, we are ready to remove one drive, and the command is: 

OneDriveSetup.exe /uninstall

Once you've run this, you will probably get one of those suitably annoying UAC confirmation's and you should select YES. 

And its done, its gone, no more OneDrive. 

NOTE: With windows 10 refresh, microsoft re-install onedrive without notice so you will need to remove it once again by following the instructions above or a slightly more complete version available at GENSupport.net

Continue reading
  0 Comments

Copyright

© GENADMIN

0 Comments

Windows 10 and Microsoft Ad-ware

If you are unfortunate enough to have upgraded to windows 10 and found half your stuff doesn't work and there's no way back then a fresh re-install of windows 7 is probably the only option. If however you've upgraded and its all pretty much working then you may want to get rid of a number of windows 10 annoyances and we'll deal with those here. 

Firstly, Windows 10 bring's Microsoft advertising directly to your desktop. No one asked for this or wants it, but its there and luckily its easy to turn off. 

Go to Start / Settings, then Personalisation, then Start from the bottom left and finally locate and disable "occasionally show suggestions in start". 

Now your free of that, how about the equally annoying pop-ups that seems to want you to try various Microsoft products and so on? 

Go to Start / Settings, then System, then Notifications & Actions from the left and finally, disable "Show me tips about windows". 

Then scroll to the bottom of that window and look for things like "Get Office" and turn that off too. 

And at last, quiet. 

Well for now at least, until Microsoft push out another update, and yet more annoying ads. 

Continue reading
  0 Comments

Copyright

© (c) 2016 GEN Partnership

0 Comments

Backup and Restore Strategies

Its that time of year when we like to remind our customers that having a complete and tested backup and restore strategy is a business critical requirement especially when many customers work on a set and forget basis. That is, they set it up, and then forget about it only being vividly reminded when the server catches fire or some other disaster. We've recently had one customer who setup an online backup almost 3 years ago and when they really needed it they found the company had gone bust two years ago which in short means, no backup. Another customer in Q4 last year had an online backup solution which used a local key stored on the backup server to encrypt the backup, which is great until the server blows up and you can't restore the data without the key that's now lost. These are just simple examples of how set and forget which is so often promoted as beneficial is really not in any way a benefit. 

So whatever your backup solution, please take the time at least one a year if not more often to analyse log files and actually 'test' the restore process and make sure it works as expected.

If your using any of GEN's backup solutions then we're more than happy to work with you to actually carry out a full restore onto another system to test the solutions. 

 

Continue reading
  0 Comments

Copyright

© (c) 2016 GEN

0 Comments

Counterfeit HP Consumables

Counterfeit HP Consumables

Hewlett Packard are not by any stretch the only manufacturer to loose revenue to cloned consumables, but they are by far the largest supplier effected by corporate procurement of counterfeit items. GEN as a HP partner will of course only supply HP branded consumables and we're confident that our supply chain is trustworthy, but in December 2015 a large IT distributer was found to have a significant stock of counterfeit HP consumables and had of course supplied those to corporate customers. 

There has always been an argument that counterfeit supplies somehow help to control the price of genuine products but its rarely backed up with any evidence and if you actually analyse the cumulative effect that counterfeit consumables have then the opposite is far more likely the case. The reason for this article is that one of our good customers has recently returned a HP Laserjet printer to us for repair still containing a counterfeit cartridge. The damage to the printer was as a direct result of the failure of that cartridge and as such we are in a difficult position. In all likelihood we'll repair it at our cost under its warranty and then speak to the customer about the risks of counterfeit items, but how many times must we take the loss before we simply have to start charging for the repairs? 

And its not just us that will loose out, of course HP in many cases make zero (or less) profit on the actual hardware but instead rely on revenue from the consumables to fund future development. If the market becomes saturated with counterfeit consumables then, (a)  HP will have no other choice but to charge more for the hardware, (b) HP will not honour its warranty where fake consumables have been used and (c) HP will have its reputation for high quality products tarnished unfairly by printer failures resulting from sub-standard fake consumables, and who looses out in the end? We do. 

Now identifying counterfeit consumables is actually quite hard as they are deliberately manufactured to be 'clones' of the genuine article but the key indicator is the cost. If your suddenly offered consumables (in small quantities) at significant discounts then they are almost certainly fake and/or substandard. 

The only advice we can give is to purchase your consumables from HP Authorised distributors or Partners and that way your assured genuine items. 

HP have their own pages dedicated to counterfeit consumables which I'll link in HERE

Hardware, consumables and duty are the three factors that any business must factor into a price performance calculation when looking for a new hard copy solution and we would always do that for you, but if your a business that has purchased a number of HP printers and are now having issue with the cost of consumables then do talk to us as we can in many cases offer bulk pricing which over time can provide a significant saving. 

Continue reading
  0 Comments

Copyright

© GENADMIN

0 Comments

iPhone and Error 53

iPhone and Error 53

With the iPhone 6 (and later) which have been in circulation for a little over a year now there are certain caveats that must be observed when repairing them. The two that are related to Error 53 are: 

  • There are 4 screws which hold down the connectors to the screen assembly, and they are different lengths for a reason. If you get them wrong then the long one will drive a hole through the PCB and there's no way back from that. 
  • The touchID sensor has a unique ID and that ID is paired with the system board and these must be kept together. Only 'Apple' can update the system board to work with a different touchID sensor. 

So, whilst we know this and when we repair iPhones we ensure that we keep the same touchID sensor and put the right screws in the right places, this isn't always the case in the third party repair marketplace. The screws in the wrong holes are unforgivable but the TouchID sensor is a little more complex because the issue only appears when you try and upgrade the iPhone to IOS9, so as long as your on IOS8 or earlier you're going to be fine, try and upgrade and your phone is dead. 

The real issue here however, is not that the TouchID sensor was discarded/replaced in the past by a third party repairer, its that Apple have decided in their ultimate wisdom to implement a 'check' in IOS9 which will retrospectively render customer's iPhones useless when they upgrade, and without any warning at all. We and the whole industry assumed at first that this was an oversight or error, but Apple have made no efforts to resolve it rendering customers phones worthless in the thousands. For Apple its a win because the customers now have to purchase a new iPhone and hope that they have a backup of the dead one, but that's not always as simple because the newly purchased iPhone will be IOS9, and the backup will most likely be IOS8 which of course will not restore to an IOS9 phone - thanks again Apple. There are third party Applications such as DiskAid, etc which can transfer the majority over but its hard work and a world away from the 'everything is simple and intuitive' that Apple likes to imply. 

The future is uncertain, and it all depends on how many users are ultimately effected and whether any regulator steps in to enforce some sort of resolution, we'll just have to see. 

 

Continue reading
  0 Comments

Copyright

© (c) GEN 2015

0 Comments

Voice Encryption

Voice Encryption

Intercepting voice traffic is relatively simple and in most cases involved a simple wire tap at the telephone exchange, to counter such wire taps, advanced voice encryption technology was required which converted your voice into a series of tones that was then transmitted over the telephone network and decoded at the far end, a method which for many years worked flawlessly but for one issue; both parties had to exchange a key before the conversation took place and how did they do that? Well they had to meet up or send it by post or courier. Regardless, analogue voice encryption is still commonplace in the right sort of organisations and works very effectively. 

Then came GSM (or Mobile phones) which initially used packet switching which was digital and existing analogue voice encryption failed to work because of the voice compression employed by the mobile networks. This was swiftly solved by re-working the encryption algorithm to use a smaller subset of tones, which in turn greatly reduced the voice quality over the circuit, which wasn't the best to start with. A few years later with 3G and faster data rates there began to appear voice to data applications which provided a clean method of encryption without needing to interfere with the voice channel. There are several versions of this original protocol mostly based around RSA and could only be used on fairly powerful smartphones due to the encryption overhead, something the Russians avoided with a clever take on the you speak, i speak system whereby a sentence was spoken, recorded, encrypted and then sent to the receiver which decrypted it and played it, the receiver then spoke a reply which was recorded, encrypted and passed back to the caller to be decrypted and played. Whilst taking some time to get used to, this didn't require powerful smartphones and was even harder to crack due to each message having its own key variant. 

Anyway, getting onto the today and a general prevalence of VoIP as a standard used by many businesses across the world. VoIP and more specifically SIP and RTP have now established themselves as a functional standard allowing the multitude of different IP Telephony systems to talk to each other with fairly few issues. The only problem we have is that VoIP is insanely easy to intercept. 

 

The reason for this is that the voice part is sent in the clear, that is, just as compressed voice. Using a commonly available tool at any point on the network path, the voice data can be collected and converted back into speech. Additionally, the signalling protocol SIP, which is responsible for setting up and terminating the calls is also sent in the clear and easily intercepted to keep a log of who calls who, when and for how long. 

Now, if your only calling across the LAN, then its no real risk, and if your calling office to office over a VPN (IPSEC to L2TP) then its also no problem as the traffic will be encrypted whilst travelling between offices, But, if your making VoIP calls to people outside your own network such as customers, suppliers or mobiles, then your calls are wide open. 

I'm pretty such most businesses won't care, as the risk is low and who would want to intercept their phone calls anyway? Well, its never that simple, especially in a digital age where even our own Government wants to start keeping histories of our internet use.

What's the value of a third party knowing who your calling and when? Or, of that same third party being able to listen in to your conversations with suppliers, customers, sales reps, etc? The value is, as always what someone else will pay for it. 

So, can it be secured? Sure it can, but doing so isn't a DIY job and requires some work to implement. Its done in several stages as below...

1. Secure your IP Telephony Solution so it supports end to end encryption of both SIP (Signalling) and RTP (Voice), which is SIPS and SRTP respectively.  

2. Secure your mobile devices with a client that supports encryption. 

3. Secure your SIP Trunk provider (the provider of the phone lines - although they are called trunks nowadays). 

4. Secure your critical customers and suppliers, which may take some persuasion but you will know those who can't or won't and take appropriate measures when speaking to them.

 

I have personally seen a customer of ours install secure IP Phones in key suppliers to ensure the privacy of their conversations, which might seem extreme, but its a cheap and simple option to ensure security is maintained. 

Above is the Counterpath Bria Client which is available on most platforms and fully supports encrypted voice as shown. Internally we use Bria on ALL our mobiles and all are encrypted. Our internal IP phones all clearly show if the conversation is secure or not and our staff are trained to understand the risks when not but when we're the supplier we would be expected to have the systems we're promoting to others :)

 

So, if your interested in securing your VoIP calls then give us a call today or contact us via the web. 

 

 

 

 

 

 

Continue reading
  2 Comments
Tags:

Copyright

© (c) 2015 GEN.

Recent Comments
Guest — Brett
Had absolutely no idea it was so easy to intercept voip! Just assumed it was more secure.
Saturday, 28 November 2015 12:29
Guest — Jade Sanderson
Everyone is pushing SIP now like its the new in thing, do you think this is state sponsored so they can more easily monitor phone ... Read More
Tuesday, 04 June 2019 17:08
2 Comments

Counterintuitive Security from Apple

Counterintuitive Security from Apple

I'm sure everyone likes to think their data is secure, and when you work closely with numerous apple devices then you'll know how important it is to keep the information they contain secure, but there's a fine line between effective security and counterintuitive security.

Apple, once renowned for their security have crossed that line to such an extent that my strong alphanumeric password has been replaced with a short easily typed one just to mitigate the amount of time each day I have to spend re-entering it. Update some App's = Enter your password, Share Photo's = Enter your password, reboot the phone = Enter your password, download a free App = Enter your password, often several times and that's just the daily annoyance, added to which is "Your AppleID has been disabled for security reasons", "Your iCloud Session has expired", 'Verification is required","Your account has been accessed from another computer or device" or some other meaningless message that just wastes more of my precious time.

Can I turn this off = No. The only way around it is a simple, easily typed password. I once found that my contacts that I'd entered on my iPad weren't syncing to my iPhone which was extremely annoying as I really needed one of the contacts whilst I was out and can you guess why? Verify your iCloud password on the iPad. It doesn't say, verify it or I'll just stop syncing everything but I suppose I should have assumed as much. 

Then of course after this message appears, your @icloud email suddenly stops working with something like "Login to server imap.mail.me.com failed." perfect. Now what are you supposed to do ? Unlock or Change the password again, via the long winded and time wasting password reset process at iforgot.apple.com? Yep. then what, well then you have to re-enter the new password on your iPads, iPhones, Macbook's and so on. I've stopped using my @cloud.com email now just to avoid one more annoyance. 

I did a little verbal survey in the office here of no more than 10 heavy Apple users, and not one person had a sensible password for their apple ID for the very reasons above. We all have to deal with this nonsense on a daily basis and it wears you down. 

So how much is too much? Well that's simple - anything that meets the criterial of ANNOYING is too much and that's every time for me. When I first turn on my device then fine, good idea. confirm the password, but then just REMEMBER IT! How hard can that be seriously? If some people want to have to re-enter their Apple id and password 20 times a day then let's have a setting for that so the rest of us can TURN IT OFF. I don't like having a weak password and it gives me a bad feeling but I simply cannot cope with the constant stupid pointless requests for the same password over and over again.

 

If you own a Macbook you'll be more than familiar with stupid dialogues popping up hourly like...

 

and even more annoying....

and Finally something like this...

The issue with repeated pointless requests for your password and the security code from your credit card (which I now have to write down in my wallet because apple asks for it that often) is that it just becomes a learned behaviour and when something asks for it you just put it in, don't even look to see what's asking anymore, just type it in. That's where counterintuitive comes into this sad story, you get so used to being harassed for your password over and over again that you'll type it into any dialogue asking for it without even thinking about it. On the other hand, if you had to enter it only once when your phone first turns on, then a random request for your password would immediately raise suspicion. This is why the Apple way is the wrong way to go about security. I've absolute confidence that I could write a program that would randomly pop-up a fake "verify your iCloud password" dialogue and everyone would just type it in without a second thought. I'm not going to, but I could, and If I can then so can anyone else is the point I'm trying to make. As I'm writing this article, an email has just arrived below (I've changed the email address)...

  

Your Account - This email address is being protected from spambots. You need JavaScript enabled to view it.

 

*Resolution Verification Request:* #TI8CHG10918-ID92

*Date:* 14 - October - 2015

 

--------------------------------------------------------------------------------

 

*PLEASE PRINT THIS MESSAGE FOR YOUR RECORDS - PLEASE READ THIS MESSAGE IN FULL.*

 

Our users security means everything to us. That’s why we are contacting you 

today in reference to your Apple Account This email address is being protected from spambots. You need JavaScript enabled to view it. with us. The Apple 

Privacy Policy was updated on September 17, 2014 and now requires members to 

update the information we hold on them because of changes to our KYC (Know your 

Customer) terms and conditions.

 

We tried to contact you on 2 previous occasions to confirm this information 

before the deadline on the 17th of September and did not acknowledged a 

response. This will be the final email before termination of your iTunes ID 

within the next 48 hours and all associated data.

 

Please follow the link provided to your profile.

 

 >>> Validate My Apple/iTunes Ownership 

 

 

Regards,

Apple Help

 

This is an automatically generated email – please do not reply to it.

*Copyright © 2015 Apple Inc.

3 Infinite Loop, MS 11172-DM, Cupertino, CA 93151.*

 

Now, I'm smart enough to know that's a scam just trying to obtain my AppleID and password, but I wonder how many people will just click it as they have done over and over again because its a learned behaviour. I doubt if we'll even know but I hope I've made the case? If it makes YOU think about it then my job is done. 

 

How many people have received another stupid apple message like 

When of course this isn't a new computer or a new device, its the same device you've been using for the last 3 years, but nevertheless your forced to re-enter your payment information, again and again. How counterintuitive is that? If your just used to Apple making the same stupid mistakes over and over, then no one every pays attention to the pointless email's they send out about 'a new device used xxx', you just assume its wrong like as usually it is. But if the Apple framework actually worked and it only produced these messages when a new device was used with you apple ID then that would actually be useful wouldn't it. 

 

Maybe I, and the rest of the office are alone on this one and everyone else in the world thinks its a good idea to have to re-enter your password and payment info again and again, tell me? comment and let us know? 

Where did the Apple go where everything just worked? Does anyone even remember that Apple ? I do! 

 
Continue reading
  3 Comments

Copyright

© (c) 2015 GEN

Recent Comments
Guest — Ashford
YES!
Wednesday, 14 October 2015 15:16
Guest — Brian
You make a good point sir and I'm glad I'm not alone! I don't know why Apple has password crazy but it does make it an automatic b... Read More
Friday, 05 February 2016 15:29
Guest — smonkford
Well, i found my way here because the ipad i've been using for the last 24 months has suddently decided that my account has been a... Read More
Wednesday, 19 April 2017 20:56
3 Comments

SSLv3 and Embedded Devices

SSLv3 and Embedded Devices

Since the revelations about weak implementations of SSL there has been a rush to move away from it and a dash by website operators to renew certificates supporting TLS. Even while this was going on most browsers still supported SSLv3 and depending on the browser displayed various cryptic messages before proceeding. However, as of Safari 9.0 and Chrome 45 and Firefox 40 or thereabouts, SSLv3 has been disabled permanently with no apparent way to enable it. 

Let's look at what the following browsers give back to the end user when trying to open a secure SSLv3 Page: 

Chrome            ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox because it uses SSLv3, a broken security protocol
Safari because Safari can't establish a secure connection to the server

For everything else there's MasterCard. 

Anyway, back to the issue in hard; why would you want to enable it anyway? its weak and broken right? Well, Kinda. It is weak and it is broken, but SSL isn't just used by websites, its been embedded into just about every router, switch, access point, embedded devices, concentrators, IP Phones and so on, many of which rely on SSL for their configuration pages. 

Some devices (e.g. Siemens IP Phones)  won't talk to you unless its via SSL, and yes, many manufacturers have released firmware updates that fix this, but (a) how do you get it on the device if you can no longer talk to it, and (b) some manufacturers (you know who you are) like to charge customers for firmware and refuse to support 'obsolete' equipment. 

So what can you do? Well, forget Safari, Chrome and Firefox and rather surprisingly turn to Microsoft Internet Explorer. I know, Internet Explorer. In IE 11 (and probably earlier versions) if you go into settings and then into advanced and scroll down you'll find you can enable and disable SSLv3 which is just perfect for talking to your hardware.

If that still gives some stupid message, then go into settings, Then Internet Options, Then Security and click on Trusted sites (the Green Tick), Then click the Sites button and another dialogue window will open with the URL already in there of your device (if not, then add it in) and click ADD. Then close. OK and try again. This time it will work even if it bitches about it. It makes sense to switch support for SSLv3 off again when you've done but that's just as easy. So top marks Microsoft for thinking that perhaps someone somewhere might have an embedded device that still has an SSLv3 certificate. 

(If anyone finds a way to turn on SSLv3 in Safari, Chrome or Firefox then let me know and I'll add it to the article.)

So far the list of devices I've encountered (which is by no means exhaustive) either directly or through support requests logged on our system which still have SSLv3 certificates are: 

  • Draytek Routers, Access Points and switches (Updates freely available)
  • Cisco Routers and various other hardware (Updates either not available for require a support contract)
  • Juniper switches, accelerators and security appliances (Updates either not available or requires some form of support contract)
  • Linksys routers, switches, IP telephony (Updates available for some but not for most)
  • Some older Bluecoat hardware (Updates not available - jump through hoops to try and get access to support then find its obsolete and there is no support)
  • Siemens Openstage Phones (Updates not available online - have to get from distributer - PIA)
  • AASTRA DECT Solutions (Updates hard to find online- unintelligible versioning and hard work to update)

(In fact a lot of phones including Grandstream, AAStra (now MITEL) have SSLv3 issues)

So in summary, when you think your device is down or isn't talking to you and your getting one of the errors above, its fine and its just your browser being an arse. Use IE, update the firmware if you can and continue on with your life :)

E&OE. 

 

 

Continue reading
  1 Comment
Recent comment in this post
Guest — Rich
How about an embedded serial server? Yup same gotcha! no firmware update, no way to fix it but no real risk leaving it as its LAN ... Read More
Thursday, 01 October 2015 18:05
1 Comment

GEN CCS a valuable addition to our SAS service offering

VPN or Virtual Private Networking has been around for decades and the technology has come relatively mature and secure provided it is implemented correctly (which is rarely the case). 

GEN has been offering SAS (Secure Access Service) based teleworker access to our corporate customers networks for just under 5 years now and we currently have around 2500 users daily. To use SAS the teleworker has a username and password that they use to authenticate after which they are offered a number of services such as access to thin client web services, terminal services, NFS and file services, etc. 

The risk however, comes when a username/password is compromised and/or when a user does something stupid like write the credentials on the laptop or save them on the desktop etc. Even with the comprehensive set of security controls within the SAS service offering we cannot protect against users behaving in a way which is likely to compromise your network security. 

Introducing GEN CCS (Compound Cryptographic Service) as an add-on to SAS, CCS provides two factor or multi factor authentication using a number of methods depending on the application scenario. Some example scenario's that are currently available are detailed below: 

Daily PIN as a secondary authentication factor

In this scenario, each day a randomly generated PIN code of 4 or more digits is delivered to each SAS/CCS user via text message or iMessage and this PIN code is required to access SAS after the usual Username & Password. This second factor authentication means that users will not write it down, instead preferring to keep it on their mobile device and using it on the day as required.

Qualified PIN as a secondary authentication factor

For companies more serious about security the CCS console can be provided to a team of staff who can generate a PIN code on demand, giving it over the telephone to the remote user when requested. In this scenario the PIN code can last for the session, the hour or the day. The team handling the calls and issuing the PIN codes should rely on some form of validation process to ensure the remote user is clearly identified as an active employee with clearance. 

On Demand PIN Delivery

In this scenario an authenticated user on SAS is initially rejected and a PIN code generated and delivered to the mobile telephone of the user who's account was used, this PIN is then used to complete the authentication when reconnecting. PIN's generated in this way can last for the session, an hour or day as required. 

These services are not for everyone, but for corporates who are increasingly conscious that network security is as critical to the business as physical security, GEN SAS and CSS get the job done. 

For more information and an demonstration please contact us. 

Continue reading
  0 Comments
0 Comments

Outlook Spam/Junk Filter Issues

 Microsoft Outlook

We recently became aware that some customers using Microsoft Outlook of various versions were experiencing missing email. Our technical team investigated and found the missing email's in the users Spam/Junk folders. The issue appeared to be localised to the last two months so we looked deeper and discovered that Microsoft had released an update to the Spam filter in Outlook in June. There are two issues that impact this, firstly some users due to their configuration cannot see the 'spam' and 'Junk email' folders without going into folder view, and secondly, even if you set the spam filter to 'None' it still in some circumstances takes action when it shouldn't. 

One of the most significant issues that our customers have experienced with this 'change' is that email's between users on the same domain are being flagged as spam, when of course they are not. Surely, if fred@ sends to tom@ then the spam filter should leave well alone? 

Further testing revealed that the updated spam filter was even more sensitive to spammy signatures (HTML Signatures that use external images etc) and that by removing the signature the email was passed. 

The Spam filter can be disabled within the outlook settings but we have found, and users have reported that Outlook continues to filter regardless. Therefore we have found registry settings that can be applied to all three versions of outlook to permanently disable the spam filter, and this is our recommended option if you don't have the time or enthusiasm to educate the user base on how to manage Outlook's crazy spam filter. A link to these registry files can be found in our FAQ here. If you have office 365 then you can also find an article on how to disable its spam filter at the same link. 

Continue reading
  0 Comments

Copyright

© 2015 GEN

0 Comments

AntiSpam and AntiVirus Defence

GEN's development team is pleased to announce the general availability of our new Anti-Spam service for corporate email gateways and domains. Maxim extends our standard Anti-Spam and Anti-Virus gateways by providing process intensive enhanced spam and virus detection which greatly reduces the volume to Spam to virtually zero.

We asked 47 professional users of the GENZone platform to participate in the trial of this new service by subscribing an IMAP folder called 'Maxim' and moving any spam received into that folder. Using this feedback we were able to fine tune the system to maximise its effectiveness and gather valuable performance metrics. 

The fight against Spam

The detection of spam is a continuos battle between the spammers and companies like us who are dedicated to eliminating it. As we evolve so do the spammers and we have to invest ever more complex and expensive technologies to counter them. Some of the technologies are outlined below: 

Standards: The internet is governed by a set of standards known as RFC's and the email delivery protocol is specified by RFC822 and RFC5321. The standards exist so that email can be interoperable between all platforms and servers, but spammers using email bots don't care about being compliant. By enforcing the standards and rejecting violations we can eliminate a percentage of spam, and of course legitimate email from organisations who can't configure their email system correctly. 

The blacklist: A number of worthy organisations like Spamhaus, SpamCop, etc are dedicated to maintaining lists of domains, hosts and subnets which are used to originate spam. Using these blacklists is an expensive but effective tool to eliminate a good percentage of spam at the first gate. Blacklists however are not realtime, and there is always a delay between a spammer launching a mass mailing and the blacklists listing it. 

Authentication: Several technologies exist to verify sender domains and hosts such as SPF & DKIM and these can serve (where used by the receiving server) to block spoofed spam which constitutes the vast majority of scams. For example, the HMRC who are under constant attack from scammers specify in their SPF records two hosts that are allowed to send email for @hmrc.gov.uk and of course the spammers cannot originate email from those addresses so SPF wins the day and any email coming from, say This email address is being protected from spambots. You need JavaScript enabled to view it. that doesn't come from the two hosts listed in the SPF record are canned. This however all falls down then either the receiving server doesn't check, the sending organisation doesn't use it, or the sending organisation has been compromised.

DNS: The domain name system is that which coverts gen.net.uk to 212.140.242.10 and back again, and when you send email to someone @gen.net.uk DNS gives up the address of the mail server that is designated to receive that email, in this case farpoint.gen.net.uk. The RFC1124/1124 which form part of Internet Standard 1 specify clearly that every host on the internet should have forward and reverse DNS, that is gen.net.uk to 212.140.242.10 and 212.140.242.10 to gen.net.uk. So, when a host spamer.com connects from 212.140.242.50 to our mail server, we (a) check that 212.140.242.50 corresponds to spammer.com, that spammer.com has a valid MX record and that the host listed in the MX record actually exists on the internet. This is particularly hard for a spammer to forge and therefore this check eliminates a percentage of spam as well as a percentage of legitimate email from companies who don't know how to setup DNS correctly. 

Content Filtering: By far the most effective tool at eliminating spam which passes all the above tests is pattern matching. This involves looking and detecting elements in the body of an email and assigning a score to each detection. An example would be a HTML only email which scores 3 points, external links to pictures which scores 0.2 points each and so on. The more spammy the email the most points it will accumulate and once a threshold is reached the message is flagged as spam. Content filtering can make use of content lists which are maintained by third parties and provide known phrases and content to score. 

Bayesian Probability Filtering: A gross simplification of this would be that email which is known to be spam can be 'learned' and that data used to identify 'similar' spam. The area of mathematics is complex and the techniques even more so, but the result is the same in that spam that looks like spam based on learned data can be flagged as such, usually by giving it a score, such as +10

When you combine all these techniques together you wind up with a spam detection system that, in our tests has an effective performance of 99.67% which is exceptional in the market. Spammy email is passed through with subject modifications for your gateway to filter (or not) as you require, or for individual users to filter using IMAP or similar rules. Full Diagnostic information is provided in email headers to permit more complex filtering based on spam score or infection type should this be required by your IT Team. 

Customers with GENX and GENZone and those with gateways and dedicated services can have this added to their email feed for a nominal charge. 

For more information or to request a demo please contact us today.  

Continue reading
  0 Comments
0 Comments