Eddystone-URL opens doors to opportunities and threats

Google launched a beacon Eddystone project and created a new ecosystem connecting physical items with Internet. Estimote Eddystone page gives an example : “The URL could be a regular web page providing relevant information—e.g., a beacon next to a movie poster could broadcast a link to a YouTube trailer. It also could be a dynamic web application, with contextual parameters embedded in the URL—e.g., http://my-restaurant.com/check-in?restaurant_id=6523.”

How true is this statement? What are the infrastructures needed to enable this seamless integration between physical and virtual? More importantly, what are the security and privacy implications? 

The importance of Eddystone project comes from its introduction of an open source format for broadcasting a URL from physical items. In laymen’s term, it enables every physical object to have a unique URL through a BLE device sticking to it. Any smartphone following the protocol will grab the Bluetooth signal, decode it and bring a web page showing relevant info. It is much more flexible than iBeacon which only show UUID, Major and Minor.

Implication is that you DO NOT need to type the web link manually when you see a poster. The poster and your smartphone talks and show the website. NFC does this also but the distance is too short. BLE has an effective range of 20-30 meters.

Sounds simple but currently no browser is able to receive Bluetooth signal by default. The future implementation will require the user to install a mobile app specifically built with Eddystone functions. Take the example mentioned in Estimote Develop Doc, Youtube app needs to launch a new version with Eddystone enabled and show the trailer. (Given Google owns Youtube , it is a massive advertisement opportunity for Youtube.)

User Experiences Issues

On user experiences, I reckon that a new version of Youtube will add a “Scan nearby” button and when pressed, a list of URL (broadcast via EddyStone protocol) will be shown to user to select. Youtube will have hyperlocal targeting capability and be able to show relevant videos relative to where the user stands.

However,  it is not that convenient and promising. Eddystone-URL is an open standard and not encrypted, due to business competition each mobile app developer will not decode received URL if it is not from their own company. A Nike shopping-app will not show a Starbuck URL even it detects a strong signal. To enjoy the benefit and browse the information advertised by Eddystone-URL, a user needs to change app every time he move from one shop to the other. Actually the major road block is user must already know which app to launch. For movie poster, it maybe YouTube app. For car parks, it may be the car park operator app? or the shopping mall app? Or just google map? Launching the wrong app will not be able to decode the URL and display relevant information.

Changing apps frequently and prior knowledge to identify which app to launch are not impediments to wider adoptions of EddyStone. Would it be nice if Google release a new version of Chrome which will accept URL input in additional to the decade-old address bar?

When Chrome is Eddystone enabled, user will be able to see suggested URL from the surrounding environment. Each Eddystone-URL enabled physical object will broadcast their own URL and a smartphone user will be able to select which object most interest them. When this happens, there are security concerns.

Security Issues for unfiltered Eddystone-URL

The prime objective of Phishing emails and Spear-phishing is to lure users in clicking an URL and visit a website. Sometimes, the URL brings up a website which already infected with malware. Other times, the exploit is already in the URL. If there is another channel to deliver a maliciously crafted URL to users’ smartphone, I am sure attackers or cybercriminals will welcome it with open arms! Like most of the Internet standards, security features is missing in the first version. (Anyone remember what happen with the first Wifi standard was released!) The Eddystone protocol does not provide to mechanism to validate or authenticate the broadcasting URL. Eddystone only specifies the data format and application layer security is missing. If a user see a broadcasted URL in browser and there is no easy way to validate its content is secure, out of curiosity the user will likely open the URL and find out what is it. Their smartphone may be infected with malware if the website is controlled by cybercriminals. When browsers enabled with Eddystone-URL, there is a risk of bogus beacons broadcasting URL pointing to phishing websites. This will hugely impact the adoption and usefulness of Eddystone-URL.

A filtering mechanism or URL authentication is essential to the wide adoption of Eddystone-URL. Broadcasting URL from physical objects will enable lots of innovative applications by directly bring rich content to our physical world. However, when this technology gains majority acceptance, security and user protection is a must.


CCSP , joint project from CSA and ISC2

(All comments and blog posts are personal opinions. Not related to any organisation.)

I like to share an exciting news about Certified Cloud Security Professional (CCSP℠). This week I received an email from ISC2 on awarding me CCSP designation. The blue color of CCSP (Certified Cloud Security Professional) Logo from ISC2 resembles the sky in a sunny day. Same as the sky here in Singapore.

Risks of running application and services on the cloud has been an impediment  and people (journalist in particular) tends to see the cloudy side! I involved in many discussions on cloud security in my volunteer works in CSA Hong Kong & Macau Chapter. Some of the concerns are valid , in particular the lack of experienced professionals and knowledge framework.

CCSP with the support from CSA and ISC2 is the answer to these concerns. In 2013, visionaries (like Aloysius Cheang from CSA APAC and Hord Tipton from ISC2 ) in both organisations joined together in response to market needs. In the past two years, A few other volunteers from CSA and I worked with ISC2 and their consultant Pearson VUE to develop CCSP CBK and examination questions. It was a rewarding experiences.

The process administrated is very structured and all rounded, with concept mapping, team discussions and psychometric analysis. As a security professional, I am thinking maybe system development life cycle (SDLC) should also make use of similar validation process to ensure each feature implemented is user facing and also balanced!

Developing Cloud Security certification is a challenge due to its extensive scope. The final CBK covers six domains:

  • Architectural Concepts & Design Requirements
  • Cloud Data Security
  • Cloud Platform & Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal & Compliance

Very few people acquired working experiences in all six domains. However, learning cloud technology knowledge and applying security principles in a virtualised environment are both achievable via CCSP CBK. Studying CCSP domains and passing the exam will help security professional to gain knowledge in a structure way, thus able to demonstrate their security skills are not outdated.

Real risk of our digital life – Obedience

NYT article “Review: ‘The Digital Doctor’ by Robert Wachter Weighs Medicine’s Technological Transformation”  reminds us that we are facing a different kind of risk when instructions are computer generated. The risk we were facing or dealing in the past decade has evolved. Now, the real risk is human obedient to machine output! This example show machine to human interfaces are obstacles for human-to-human collaborations.

Imagine if the number of pills were hand-written, will the nurse enquired about the abnormal large amount? Computer screen and print-outs seems embedded  with some magical power.  Maybe people are not confident to challenge a computer. They are trained to trust it!


“The other big problem behind the overdose was more cultural, and even harder to solve. In a setting in which all exchanges are digital, informal chat (“Do you believe the dose they just ordered?”) tends to vanish. Instead, everyone sits at an individual monitor, immersed in an individual digital world, tuning out the beeps.”

The Most Read Terms and Services, how age-guessing tool tell us about our uses of personal information

In the last 48 hours, age became a hot topic on Facebook, thanks to Microsoft How-Old.net free age-guessing online tool. It proves age is still a contentious topic, regardless gender, race and obviously age. A marvellous marketing gimmick!

As it always happens, once a story caught fire, a few risk aversive or investigating minds start to dig deeper and uncover an inconvenient truth — the terms of this service authorise Microsoft to use user photos more than just age-guessing. Exactly what are the future uses are unknown!

Working in cloud computing and outsourcing for the last 5 years, it is not unusual to see such user terms and conditions. Most of them are crafted in a way that almost all risks are excluded from the service provider liability. The legal counsels are paid to read all reported and unreported court cases and protect company like Microsoft in this case.

The basic assumptions of data privacy protection is in question here and this case offered a chance to review it.

 Consent from user is enough? 

For How-Old.net, clearly the intention of user uploading the photo is to find out the age and gender. User don’t expect it to tell if you have diabetes or your sexualities (it maybe possible with enough data points !). However,  the service provider terms open to possibility of others uses of the photo, without specifying what it will be. Service providers are giving themselves some elbow room for future innovations. This is actually a typical way how commercial terms response to data privacy legislations.

Most data privacy law requires informed and specific uses of personal data. The rationale is  as long as users consent with the uses of PII, there is NO violation of data privacy law. However, we have seen software or web services terms tries to include extensive scope of uses and sometimes non-restrictive uses. Users are either lured to give consent or just ignore the terms completely. User gives consents rather spontaneously !


For those like to read the legal terms , extracted here.

However, by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services.

With every BCM audit, you should pay attention to this question “Show me the contract?”

While researching on DR best practices, I uncovered a statistic from Bank of Japan 2012 survey on business continuity. When asked how many days can a bank’s power generator runs on fuel ? The answer is surprising low. Look at this chart on page 25.

 stockpiles of generator fuel

stockpiles of generator fuel

I remember in 2003 New York Blackout, I was working for a bank and their New York data centre staff was forced to drive a long distance and wait for hours to buy generator fuel. When over 40% of  from JP banks do not have fuel supply over 1 day, this number is quite worrying. Japan banks and professionals are well aware of large scale of catastrophes and yet their risk assessment/impact analysis arrive in one day fuel stockpiles.

Think deeper, there are some reasons for not able to store extra fuels. First, fire safety issues. Storage of a large amount of fuel permanently will require extra safety measures. Industrial buildings or data centre location may not allow such storage of inflammable substances. Second would be cost. What else? Third is the estimation of recovery time is not directly link to fuel supply. Within 24 hours, most people would believe they can replenish fuel with confidence. However, the 2003 large scale blackout in New York lasts for 2 days. All generators were put into use and thus supply are going to be tight, you should expecting a long queue. The assumption of continuous fuel supply when disaster or large scale blackout happened simply does not hold.

One better approach is to secure priority access to fuel supply when disaster strikes, So in your next data centre audit , you should ask “Show me the contract?” Auditor are paid to ask tough questions.

The Truth about Cloud Security

Still remember when I was introducing cloud security to a Hong Kong journalists back in 2011 winter at WanChai (HKSAR), we were having a lunch meeting and she was researching on cloud computing. At that time, running servers at a remote site was still a wired idea. As always, the question “Is it safe ?” was asked. This question was asked spontaneously (if not involuntarily) when I mentioned the data is processes at an outsourced data centre. The person asking this question actually do not distinguish if they are referring to unauthorised access while transmuting, physical risk of remote data centre or availability. Like commercial airplane first appears, when only 1% of the population flew, 99% asked “Is it safe?”

Fast forward to 2015, TechCrunch has an article on this issues “The Cloud Could Be Your Best Security Bet” and Ron Miller explained that major data breaches are from company with on-permises  servers :” Yet if you think about every major data breach over the last two years, whether Anthem, Sony, JPMorgan or Target, all involved on-premises datacenters, not the cloud.”

Ron made it clear that knowledge is the real differentiator, when protecting data. Company like Sony Pictures are not technology firm and their investment, staff recruitment and intelligence gathering capability is not able to match with company like Salesforce, Google, AWS etc.

There is another consideration, I like to complement his argument. For non-technology enterprise or company do not offer cloud computing product/services, investment in security controls is usually regarded as a cost centre, in term means cheaper is better. For company, like Google security is a product that they can sell. When evaluating security control investments, cloud services providers are able to invest much more than a bank or an airline company.

Although I agree with Ron’s observations, I have to point out that not all cloud services offering are the same. Again referring to the airline industry metaphor, running secure cloud computing platform is costly and bigger players has the economic of scales. Budget airlines usually operate flights to less visited airport and has a niche market. We are going to see similar trends in cloud computing.

In AWS cloud contracts (as in life), read before signing


Lawyers say never to sign (or click on) anything without reading it first, but that rule typically goes out the window when it comes to complex-yet-boring end user licensing agreements (EULAs) and other software licenses.

As John Oliver said in his epic net neutrality screed: “If you want to do something evil, put it inside something boring. Apple could put the entire text of Mein Kampf inside the iTunes user agreement and you’d just go: Agree. Agree. Agree.”

That read-before-clicking mantra holds true for license agreements from cloud providers as well. For example, I would bet that when many startups — which often don’t have legal departments — sign on for Amazon Web Services, they don’t check out all the verbiage fully. And they should.

In particular, there is a provision in the AWS customer agreement that they really should scrutinize. The contract’s Section 8.5 on license restrictions includes the usual restrictions…

View original post 780 more words