Category Archives: ISO 27001


Implications for Eddystone-URL in Chrome 44

When I wrote in my last post about Eddystone, I was not aware of Chrome already included an update to scan nearby Eddystone beacons.  Chrome version 44.0.2403.65 available in Apple AppStore (not in Play Store as of writing) now let Chrome user to open an URL broadcasted by Eddystone-URL.

This change is profound ! The following are the implications

  1. Developer no longer needs to write IOS codes to assess functionality offered by beacons . This is a liberation from the Apple iBeacon which must use native iOS APIs.
  2. A web developer can now add physical object interaction to their website. Website content can be targeted to a micro location.
  3. Security wise, the URL is unfiltered. A curious user clicking on a broadcasted URL may be directed to malware infected website.
  4. Privacy wise, by enabling Eddystone and use Chrome to launch the URL. Google knows where you are even when GPS is turn off or blocked. The Eddystone beacon location is your location. Therefore Google has a better “insights” of locations and time of your activities with a 20m accuracy.

Likely Firefox and other browser will follow and enable Eddystone. Will test out this feature with my Raspberry PI BLE project and write in next blog post.

Eddystone-URL opens doors to opportunities and threats

Google launched a beacon Eddystone project and created a new ecosystem connecting physical items with Internet. Estimote Eddystone page gives an example : “The URL could be a regular web page providing relevant information—e.g., a beacon next to a movie poster could broadcast a link to a YouTube trailer. It also could be a dynamic web application, with contextual parameters embedded in the URL—e.g.,”

How true is this statement? What are the infrastructures needed to enable this seamless integration between physical and virtual? More importantly, what are the security and privacy implications? 

The importance of Eddystone project comes from its introduction of an open source format for broadcasting a URL from physical items. In laymen’s term, it enables every physical object to have a unique URL through a BLE device sticking to it. Any smartphone following the protocol will grab the Bluetooth signal, decode it and bring a web page showing relevant info. It is much more flexible than iBeacon which only show UUID, Major and Minor.

Implication is that you DO NOT need to type the web link manually when you see a poster. The poster and your smartphone talks and show the website. NFC does this also but the distance is too short. BLE has an effective range of 20-30 meters.

Sounds simple but currently no browser is able to receive Bluetooth signal by default. The future implementation will require the user to install a mobile app specifically built with Eddystone functions. Take the example mentioned in Estimote Develop Doc, Youtube app needs to launch a new version with Eddystone enabled and show the trailer. (Given Google owns Youtube , it is a massive advertisement opportunity for Youtube.)

User Experiences Issues

On user experiences, I reckon that a new version of Youtube will add a “Scan nearby” button and when pressed, a list of URL (broadcast via EddyStone protocol) will be shown to user to select. Youtube will have hyperlocal targeting capability and be able to show relevant videos relative to where the user stands.

However,  it is not that convenient and promising. Eddystone-URL is an open standard and not encrypted, due to business competition each mobile app developer will not decode received URL if it is not from their own company. A Nike shopping-app will not show a Starbuck URL even it detects a strong signal. To enjoy the benefit and browse the information advertised by Eddystone-URL, a user needs to change app every time he move from one shop to the other. Actually the major road block is user must already know which app to launch. For movie poster, it maybe YouTube app. For car parks, it may be the car park operator app? or the shopping mall app? Or just google map? Launching the wrong app will not be able to decode the URL and display relevant information.

Changing apps frequently and prior knowledge to identify which app to launch are not impediments to wider adoptions of EddyStone. Would it be nice if Google release a new version of Chrome which will accept URL input in additional to the decade-old address bar?

When Chrome is Eddystone enabled, user will be able to see suggested URL from the surrounding environment. Each Eddystone-URL enabled physical object will broadcast their own URL and a smartphone user will be able to select which object most interest them. When this happens, there are security concerns.

Security Issues for unfiltered Eddystone-URL

The prime objective of Phishing emails and Spear-phishing is to lure users in clicking an URL and visit a website. Sometimes, the URL brings up a website which already infected with malware. Other times, the exploit is already in the URL. If there is another channel to deliver a maliciously crafted URL to users’ smartphone, I am sure attackers or cybercriminals will welcome it with open arms! Like most of the Internet standards, security features is missing in the first version. (Anyone remember what happen with the first Wifi standard was released!) The Eddystone protocol does not provide to mechanism to validate or authenticate the broadcasting URL. Eddystone only specifies the data format and application layer security is missing. If a user see a broadcasted URL in browser and there is no easy way to validate its content is secure, out of curiosity the user will likely open the URL and find out what is it. Their smartphone may be infected with malware if the website is controlled by cybercriminals. When browsers enabled with Eddystone-URL, there is a risk of bogus beacons broadcasting URL pointing to phishing websites. This will hugely impact the adoption and usefulness of Eddystone-URL.

A filtering mechanism or URL authentication is essential to the wide adoption of Eddystone-URL. Broadcasting URL from physical objects will enable lots of innovative applications by directly bring rich content to our physical world. However, when this technology gains majority acceptance, security and user protection is a must.

Real risk of our digital life – Obedience

NYT article “Review: ‘The Digital Doctor’ by Robert Wachter Weighs Medicine’s Technological Transformation”  reminds us that we are facing a different kind of risk when instructions are computer generated. The risk we were facing or dealing in the past decade has evolved. Now, the real risk is human obedient to machine output! This example show machine to human interfaces are obstacles for human-to-human collaborations.

Imagine if the number of pills were hand-written, will the nurse enquired about the abnormal large amount? Computer screen and print-outs seems embedded  with some magical power.  Maybe people are not confident to challenge a computer. They are trained to trust it!


“The other big problem behind the overdose was more cultural, and even harder to solve. In a setting in which all exchanges are digital, informal chat (“Do you believe the dose they just ordered?”) tends to vanish. Instead, everyone sits at an individual monitor, immersed in an individual digital world, tuning out the beeps.”

The Most Read Terms and Services, how age-guessing tool tell us about our uses of personal information

In the last 48 hours, age became a hot topic on Facebook, thanks to Microsoft free age-guessing online tool. It proves age is still a contentious topic, regardless gender, race and obviously age. A marvellous marketing gimmick!

As it always happens, once a story caught fire, a few risk aversive or investigating minds start to dig deeper and uncover an inconvenient truth — the terms of this service authorise Microsoft to use user photos more than just age-guessing. Exactly what are the future uses are unknown!

Working in cloud computing and outsourcing for the last 5 years, it is not unusual to see such user terms and conditions. Most of them are crafted in a way that almost all risks are excluded from the service provider liability. The legal counsels are paid to read all reported and unreported court cases and protect company like Microsoft in this case.

The basic assumptions of data privacy protection is in question here and this case offered a chance to review it.

 Consent from user is enough? 

For, clearly the intention of user uploading the photo is to find out the age and gender. User don’t expect it to tell if you have diabetes or your sexualities (it maybe possible with enough data points !). However,  the service provider terms open to possibility of others uses of the photo, without specifying what it will be. Service providers are giving themselves some elbow room for future innovations. This is actually a typical way how commercial terms response to data privacy legislations.

Most data privacy law requires informed and specific uses of personal data. The rationale is  as long as users consent with the uses of PII, there is NO violation of data privacy law. However, we have seen software or web services terms tries to include extensive scope of uses and sometimes non-restrictive uses. Users are either lured to give consent or just ignore the terms completely. User gives consents rather spontaneously !


For those like to read the legal terms , extracted here.

However, by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services.

The Truth about Cloud Security

Still remember when I was introducing cloud security to a Hong Kong journalists back in 2011 winter at WanChai (HKSAR), we were having a lunch meeting and she was researching on cloud computing. At that time, running servers at a remote site was still a wired idea. As always, the question “Is it safe ?” was asked. This question was asked spontaneously (if not involuntarily) when I mentioned the data is processes at an outsourced data centre. The person asking this question actually do not distinguish if they are referring to unauthorised access while transmuting, physical risk of remote data centre or availability. Like commercial airplane first appears, when only 1% of the population flew, 99% asked “Is it safe?”

Fast forward to 2015, TechCrunch has an article on this issues “The Cloud Could Be Your Best Security Bet” and Ron Miller explained that major data breaches are from company with on-permises  servers :” Yet if you think about every major data breach over the last two years, whether Anthem, Sony, JPMorgan or Target, all involved on-premises datacenters, not the cloud.”

Ron made it clear that knowledge is the real differentiator, when protecting data. Company like Sony Pictures are not technology firm and their investment, staff recruitment and intelligence gathering capability is not able to match with company like Salesforce, Google, AWS etc.

There is another consideration, I like to complement his argument. For non-technology enterprise or company do not offer cloud computing product/services, investment in security controls is usually regarded as a cost centre, in term means cheaper is better. For company, like Google security is a product that they can sell. When evaluating security control investments, cloud services providers are able to invest much more than a bank or an airline company.

Although I agree with Ron’s observations, I have to point out that not all cloud services offering are the same. Again referring to the airline industry metaphor, running secure cloud computing platform is costly and bigger players has the economic of scales. Budget airlines usually operate flights to less visited airport and has a niche market. We are going to see similar trends in cloud computing.

In AWS cloud contracts (as in life), read before signing


Lawyers say never to sign (or click on) anything without reading it first, but that rule typically goes out the window when it comes to complex-yet-boring end user licensing agreements (EULAs) and other software licenses.

As John Oliver said in his epic net neutrality screed: “If you want to do something evil, put it inside something boring. Apple could put the entire text of Mein Kampf inside the iTunes user agreement and you’d just go: Agree. Agree. Agree.”

That read-before-clicking mantra holds true for license agreements from cloud providers as well. For example, I would bet that when many startups — which often don’t have legal departments — sign on for Amazon Web Services, they don’t check out all the verbiage fully. And they should.

In particular, there is a provision in the AWS customer agreement that they really should scrutinize. The contract’s Section 8.5 on license restrictions includes the usual restrictions…

View original post 780 more words

No single prediction is perfect, so I look at four

As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!

When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors.  Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.

Legend : Orange cells are directly related to Smartphone. Red words are related to payment systems.

2015 Cyber Security Predictions

Websense Sophos FireEye TrendMicro
Healthcare will see a substantial increase of
data stealing attack campaigns
Exploit mitigations reduce the number of useful vulnerabilities Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware. More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.
Attacks on the Internet of Things will focus on
business use cases, not consumer products
Internet of Things attacks move from
proof-of-concept to mainstream risks
Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts. There will be bolder hacking attempts as cyber activity increases.
Credit card thieves will morph into
information dealers
Encryption becomes standard, but not everyone is happy about it Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency. An exploit kit that specifically targets Android users will surface.
Authentication consolidation on the phone
will trigger data-specific exploits, but not for
stealing data on the phone
More major flaws in widely-used software that had escaped notice by the security
industry over the past 15 years
 As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms. Targeted attacks will become a norm.
New vulnerabilities will emerge from decades
old source code
Regulatory landscape forces greater
disclosure and liability, particularly
in Europe
Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards. Bugs in open source apps will continue to be exploited.
Email threats will take on a new level of
sophistication and evasiveness
Attackers increase focus on mobile
payment systems, but stick more to
traditional payment fraud for a while
Lack of adequate response could result in a major brand going out of business  New mobile payment methods will introduce new threats.
As companies increase access to cloud and
social media tools, command and control
instructions will increasingly be hosted on
legitimate sites
Global skills gap continues to increase, with
incident response and education a key focus
With such risks in the corporate realm, cyber insurance as an industry is expected to grow. We won’t see head-on IoE/IoT device attacks, but the data they process will tell another story.
There will be the new (or newly revealed)
players on the global cyber espionage/cyber war battlefield
Attack services and exploit kits arise for mobile (and other) platforms   More severe online banking and other financially motivated threats will surface.
  The gap between ICS/SCADA and real
world security only grows bigger
  Interesting rootkit and bot capabilities
may turn up new attack vectors

Public available of ISO/IEC 29100:2011 Privacy framework

Last May, in ISO SC27 meeting held at Sophia Antipolis. WG5 Identity Management and Privacy Technologies voted to make ISO 29100 Privacy framework a public document. After JTC 1 Plenary endorsement in November 2013 meeting, the standard is now available at (search for 29100). Another document are listed is  ISO 27000 Information security management systems — Overview and vocabulary.

For most people in the IT security industry, the relationship between owner, processor and user of PII is confusing. Table I in ISO 29100 provides a clear and user friendly way to understand their relationships.

Note from 2016 SC27WG5 meetings : A new edition on improving consistency and language is planned. New version shall be ready next year.

Privacy Protection Principles, compare ISO29100, with Singapore and Hong Kong legislations