Bryley Basics: Android app-rating site PrivacyGrade

PrivacyGrade, developed by a team of researchers from Carnegie Mellon University, rates Android-based applications for privacy and security. Apps for Android devices are rated based on “the gap between people’s expectations of an app’s behavior and the app’s actual behavior”. If an app’s privacy does not meet expectations, it will score poorly.

For example: Google Maps uses location data, as would be expected by most users. However, a game like Fruit Ninja also uses location data, which is unexpected, and which gives Fruit Ninja a lower score.

For details, please visit www.PrivacyGrade.org.

Bryley Basics: Scammer YGDNS.org

We received a seemingly legitimate email from YGDNS.org professing to square-away the ownership use of our domains, Bryley.com and Bryley.net, in China; the email was marked “urgent” and came with a person’s name, business address, etc.

I queried Mike Carlson, our CTO, who gave this reply:  “No serious problems, but certainly a scam. If you reply you will be offered the opportunity to register the domains along with other overpriced services.

Google search of “ygdns.org.cn” finds a couple well-written articles that indicate that this ygdns group has been doing this for a while, and if you respond take the extra step of calling. The calls are of the type “This needs to be fixed today!”; hoping to get a “yes” from whomever answers the phone by stressing the perceived urgency.

Note the fact that it was sent…with “Please forward… …this is urgent” line. Any legitimate registrar conducting a legally or procedurally required inquiry would send the request directly to you, to me, or our shared network operations mailbox. These are the publicly-available addresses associated with the bryley.com and bryley.net registrations. I’ve checked my mailbox, junk mail folder, and done the same on the network operations mailbox. Nothing from this company.”

So, we did not respond to any inquiries from YGDNS.org and advise the same to all.

Merchants should get ready for EMV credit cards in 2015

The aging, magnetic-stripe credit cards are being replaced by EMV, a new standard with an embedded microchip that stores encoded user credentials with an optional PIN.  These two capabilities combine to reduce fraud by making EMV cards harder to clone and more difficult to use if stolen.

However, retailers and other merchants will need to upgrade credit-card processing hardware to comply with EMV.  Plus, validation and payment approval occur in separate, consecutive steps, which may require rewrites to existing Point-of-Sale (PoS) software.

Other considerations for retailers and merchants:

  • Cards are dipped, rather than swiped, which slows the process
  • EMV-processing applications/certifications takes time; apply early
  • PINs can enhance security, but at the cost of being slower to process
  • Training staff will be necessary for high-volume, credit-card processors

After October 15, 2015, many credit-card issuers (MasterCard, VISA, etc.) will not cover fraudulent issues generated with non-EMV cards; a not-so-subtle statement on complying with the EMV standard in 2015.

Recommended practices – Part-5: Software updates and patching

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

In general, software manufacturers update their products for these reasons:

  • Resolve problems
  • Fix vulnerabilities
  • Make easier to use
  • Provide new features

The first two are of significant concern, particularly with operating systems (Microsoft Windows, Google DROID, Apple iOS, etc.) and with commonly used applications like Microsoft Office, Adobe Reader, etc.

Many operating-system manufacturers, especially those with large user populations (Microsoft, Google, Apple), release patches to address problems and security concerns.  These patches are typically small applications that either replace a portion of the operating system or update specific components (files) of the operating system.

Unfortunately, particularly with Microsoft Windows, patches that resolve an issue can often lead to unforeseen and unintended consequences; some patches actually designed to fix one area can break things in a different area.  Also, security updates are often time-sensitive; once released, it is important to apply them promptly.

Like operating systems, many popular applications require occasional updating.  Applications are typically not updated as often as operating systems, but their patching can critical to fix vulnerabilities.

The IT department or IT-outsourcing partner (i.e.:  Bryley Systems) of many organizations typically perform patch management with the objective “…to create a consistently configured environment that is secure against known vulnerabilities in operating system and application software.”2  These groups perform their patching in a cyclic fashion, often taking these steps:

  • Verify that the patch has a reasonable purpose in the environment,
  • Investigate its stability and usefulness by checking user forums,
  • Delay (if needed) deployment to ensure wide-spread acceptance,
  • Test it in the environment before deploying, and
  • Deploy and then validate this rollout.

If a rollout fails, procedures are in place to roll-back the operating system or application to its pre-patched state.  Periodic auditing and assessment is useful to ensure that the process is current and appropriate; audits should also identify systems that are not in compliance with the organizations patching standards.

Often, a Remote Monitoring and Management (RMM) tool – GFI, LabTech, Kaseya – or a patch-management tool – PatchLink, SolarWinds, Tivoli – is used to automate and centrally manage the process:  These tools permit the timely, managed deployment of patches and updates to groups of computers.

Notes:

2 Quote taken from the article by Jason Chan of PatchManagement.orgEssentials of Patch Management Policy and Practice”, but actual article is an excellent, in-depth treatise on this subject.

Other resources:

Winner of our monthly Service-Ticket Survey drawing

Monthly, we select a winner from all respondents to our service-ticket surveys. Congratulations to LR of WI, our survey-response winner from last month.

Our winner received a $10 gift certificate, compliments of Bryley Systems.