Posts Tagged ‘trust’

Quick Response (QR) codes can be really nice. You see an ad in a magazine or a poster on a wall and want more info? Just point your smart phone at the pattern and scan it with the appropriate app and, voila, all the detail you could care to know pops up in your hand.

At least, that’s how it’s supposed to work when everybody plays nice, and most people do. Of course, if you’ve been reading this blog at all, you know that not everyone does and that for every new turn of the technological crank brings not only great opportunity to do some really cool things but also an equal opportunity that bad actors can exploit do to some really not so cool things. QR codes are no different.

qrcode

For example, here’s a QR code that contains a link to this blog. It would be easy to add more info such as a phone number, email address, etc. but let’s keep it simple.

A QR reader app on your phone should be able to verify this for you. (Note: you may have to print it off and then try scanning the printed version if your phone’s camera has trouble reading it.)

But what if I was a bad guy and instead of pointing you to a benign site, I sent you to a malicious site which automatically downloaded malware to your phone that then sent me a copy of your confidential emails, stored passwords/acct numbers, contacts, text messages, etc. and started sending SMSs to premium services without your knowledge and racked huge charges for you? Not so good, right?

How can you tell just by looking at a QR code whether it is good or bad? The answer is, you can’t, and that’s the problem. Bad guys know this and some have taken to printing up their own QR codes and sticking them over the top of legitimate ones so as to snare unsuspecting victims.

The better QR reader apps will show you the link they have scanned first so that you can then choose whether to send your browser there or not. Unfortunately, if the bad guy has used a URL shortener such as bitly, TinyURL or others, the actual web site you will be taken to may still be obscured from view.

So, be careful. The best advice is to “trust, but verify.”

Who can you trust?

Posted: June 11, 2012 in Uncategorized
Tags: , , ,

That’s a difficult question to answer — especially when you’re dealing with organizations you know only over opposite ends of a wire. This issue lies at the heart of an article quoting me in today’s Raleigh News & Observer “Stump the Geeks” column.

 

First of all, let me state for the record that I have no firsthand knowledge of the service offering discussed in that column of this blog post or how well their service works. It could be perfect in every way, for all I know, but the issues I’m focusing on here remain the same so please read this in the spirit in which it was intended — as an example of how some of the critical thinking that needs to be employed when dealing with security issues.

With that bit of disclaimer out of the way let’s consider the case of OpenDNS. Typically the translation of that web site name (e.g. WordPress.com) into it’s numeric IP address equivalent, which is necessary in order to actually route your request through the network, is handled by a Domain Name Server (DNS) that is provided by your ISP. OpenDNS, however, offers to do this for you instead if you are willing to configure your system to use its services in lieu of the one your ISP provides.

Why would you want to do this? Well, it’s because OpenDNS claims to be able to offer additional controls and security protections that most ISPs don’t. For instance, you can configure OpenDNS to block access to harmful sites based upon objectionable content or security risks by redirecting traffic to a safe landing page rather than the actual site.

Sounds good, right? But who determines what is risky and what isn’t? Do their definitions coincide with yours? With the way “bad” sites pop up and disappear on the Internet on an hour-by-hour basis, can any system based upon reputation (such as OpenDNS) ever hope to keep up with the perpetual game of Wack-a-Mole?

Further, even if all this does work perfectly well, who do I trust more — OpenDNS of my ISP? The reason this last question is important is that one or the other is going to have access to all my web surfing history. If that bothers you then you need to decide which of the two choices in this example, do you trust more with that information? Either could be compelled to turn over such information if directed to do so by the Courts but what about turning it over to other companies who use it to market to you based upon your browsing habits?

I have no idea how to answer that question for you since my sensitivity to risk in this area is bound to differ from yours. It’s the same reason you choose to bank or invent with different companies than I do as well. It’s a very personal choice but, in the end, it all comes down to … “who can you trust?”