Monday, August 22, 2016

GuardKey - your sensitive data protection solution for local storage, portable storage and also cloud storage (ie. Dropbox, Google Drive, OneDrive, etc.)

"A lot of people use Dropbox.

A lot of people put a lot of valuable, sensitive and personal data inside Dropbox.

A lot of people make the mistake of not encrypting their valuable, sensitive and personal data before they put it inside Dropbox.

Which all adds up to a whole heap of trouble if Dropbox suffers a data breach."

-- Quoted from Graham Cluley's article titled "The huge Dropbox password leak that wasn't".

Yes, your data in cloud storage such as Dropbox needs a second layer of protection despite being well encrypted and taken care by Dropbox.

This is because most of the time, the data in your cloud storage can be easily accessed once your password is obtained or hacked.

Worse still, most cloud services such as Dropbox provides the convenience for you to stay logon once you successfully signed in from their apps, be it from a computer or mobile device. This means that whoever obtained physical access to your computer or mobile device with an active logon session to your cloud service, can easily access to your data without even the need to know your password!

Nowadays, most cloud services like Dropbox do provide option for additional security through 2-step verification which requires second verification through SMS, USB key, etc. beside your password. However, novice users find it difficult to configure and activate, and there is limitation in the USB key method, such as, can only be used when accessing the cloud service with Google Chrome browser. In addition, this 2-step verification doesn't solve the open session loophole as described in the above paragraph.

I found a wonderful product called GuardKey which perfectly fills this gap of needs by offering data encryption and concealing solution to not only your cloud storages, but also your local storage (eg. harddisk, NAS storage, SAN storage, etc.) and portable storage (eg. USB drive, SD card, etc.).

GuardKey is a USB dongle with the following components:
  • A unique AES-256 encryption/decryption key.
  • A Windows software to be installed in your computer to perform seamless data encryption and decryption to your Safebox (an invisible folder in your storage device that everything in it will be protected by GuardKey).
  • 8 GB of free empty storage, for you to use the USB dongle as normal USB drive.
This metallic USB key has a solid and durable look and feel.

There is always a trade-off between security and convenience. The higher the security measure, the more inconvenience for the user it become, and vice-versa. The beauty of GuardKey is it provides a wide range of flexibility level to the user to determine between high security and high convenience.

If user opts for high security, the Safebox can only be opened with the USB dongle and a password. In a more convenient level, it only needs the USB dongle without the need of entering password. Plug in your GuardKey dongle, you have access to your Safebox; pull out your GuardKey dongle, your Safebox will be hidden, and even if found, all the data inside it is encrypted with AES-256 (Advanced Encryption Standard with 256 bits cryptographic key length) encryption, which is a military grade encryption method that recommended by NSA for US government to protect Top Secret grade of information.

Alternatively, you can also make it possible to unlock the Safebox without using the USB dongle, by using the GuardKey Viewer mobile app. The mobile device running GuardKey Viewer needs to be paired with the GuardKey application running in the computer before it can be used as Safebox mobile unlocker.

There are 2 levels of mobile unlock security: by using a six digit one-time-password (OTP) which changes every minute, or by using a combination of random sequence of images together with the six digit OTP.

GuardKey supports the creation and usage of Safebox in local disk (including portable storage) and also in Cloud storage.

Supported cloud storages including Dropbox, Google Drive, OneDrive, ASUS WebStorage, Box, SugarSync, and other cloud storages that sync with local disk, which the user needs to inform GuardKey about the location of the sync folder.

GuardKey supports one Safebox for each of the storage drive. The screenshot below shows I've created one Safebox for local drive D, and another for Dropbox.

The data inside these Safeboxes are encrypted and not accessible until they are unlocked by GuardKey. A virtual drive will be mounted with the Safeboxes now accessible as folders in the mounted drive. Once they are relocked, they will disappear from the virtual drive, and if all the Safeboxes are relocked, the GuardKey virtual drive will also be unmounted and disappear.

By using GuardKey, you can therefore ensure that all your AES-256 protected data in Safebox will remain be unreadable and inaccessible, even though your computer is stolen, seized or hacked. By encrypting your files and folders in cloud storage with GuardKey, you can also protect them from leaking and exposing through hacking or unauthorized access to your cloud storage account.

The same GuardKey USB dongle can be used in multiple computers to access the encrypted data in your cloud storage from different computer, so that you can access to your files from any one of the computers installed with GuardKey by using your dongle. In addition, you can also access your Safeboxes in cloud storages from within your smartphone by using the GuardKey Viewer mobile app.

GuardKey is a well thought product. In case you lost your USB dongle and you have not enabled mobile unlock option, you are still able to unlock your Safebox and rescue the data inside by using the backup AES-256 key residing in your local disk, which requires your password for its usage.

If you are concerned about this "backdoor" measure for emergency data retrieval, you can store your AES-256 key in another USB disk and lock it in a secured physical safe, then delete and wipe out the backup key in your local disk residing in data folder of GuardKey installed path.

Although the metallic GuardKey dongle is solid and looks durable, you might have the question of what if it is faulty and no longer usable. Without the key, how are you going to access to your valuable data protected by GuardKey? This situation has also been thought about, and there is a mechanism within the GuardKey software to allow you to duplicate the dongle to another USB disk.

As a conclusion, GuardKey is found to be very flexible between security and convenience, which you can adjust according to your need. In high security mode, I believe it is fit for commercial and industrial use. While in high convenience mode such as unlocking on the fly with USB dongle without the need of password, it can still protect your data, provided that your USB dongle does not fall into the hand of other people who at the same time also has your computer with them.

Tuesday, August 9, 2016

OCBC 360 Savings Account with up to 4.1% interest rate

I have opened an OCBC 360 savings account, which is statement based and without passbook.
ATM card can be applied at the cost of RM8 one time payment for convenience of account transaction using ATM machine.

This account has a fixed interest rate of 0.5% per annum. On top of that, there are 3 categories of additional interest of 1.2% per annum each to be earned for deposit amount up to RM100k.

The 3 categories are:

  • Deposit: to deposit a minimum of RM500 into the OCBC 360 account within the month.
  • Bill Payment: to perform at least 3 bill payments from OCBC 360 account using Internet banking or mobile banking within the month. This includes payment to OCBC credit card, payment to OCBC housing loan, and payment to any of the participating billing organizations available in OCBC Internet banking or mobile banking service.
  • Credit Card: to link an OCBC credit card to this 360 account, and to charge at least RM500 aggregated retail transactions to the credit card within the month. The calculated amount is excluding credit card fees and charges, balance transfer, instalment plan, cancelled transactions, etc.
Therefore, the maximum possible interest rate is 0.5% + (1.2% x 3) = 4.1%, for the first RM100k of deposit. The interest rate for additional amount above RM100k remains as 0.5% only.

This interest structure is pretty attractive and comparable to fixed deposit accounts.

OCBC 360 is an adult savings account for individual above 18 years old, and its 4.1% possible interest rate is even higher than most junior and/or teens savings account, which in turn higher than most normal savings account.

This account is insured with the Malaysian Deposit Insurance Corporation (PIDM) for deposit amount up to RM250k.

Apparently, this is a tactic for OCBC to attract working people to centralize their banking with them, which include monthly salary deposit, monthly bill payments, and credit card spending.

OCBC has been famous to give attractive offer with innovative products, such as their previous famous Titanium credit card. However, they also have the track record of making such attractive offer unattractive after a few years.

This OCBC 360 savings account was introduced somewhere in December 2015, which is considered still new. I think this attractive offer will stay around for quite some times, and if OCBC plays the trick to make it unattractive again, we can always pull out and deposit our money at other more attractive bank account.

Wednesday, August 3, 2016

The hacking of Telegram app and the vulnerability of relying on SMS as authentication method

Yesterday (2 August 2016) there was news about 15 million Iranian Telegram users mobile phone number exposed and more than dozen accounts compromised by hackers.

A chain is only as strong as its weakest link. This incident exposed that SMS, which is currently commonly used as authentication method in many online services including online banking systems, is vulnerable to security breach and could be the weakest link in the security measure.

Coincidently, Focus Malaysia Issue 191 dated 29 July 2016 has also just discussed about this vulnerability in its featured article titled "Overcoming The Two-Factor Vulnerability: When it comes to securing your web accounts, two-factor authentication using SMS is safer than just a standard password. But recent cases have shown that it might be time to move away from that."

Why is it not a good idea for online service providers to make use of SMS as security measure?

Firstly, the sending and receiving of SMS is depending on the telco service, which is totally out of control of the online service providers. Therefore, it is vulnerable to listening, hijacking, impersonating, replicating, and other kinds of security breaches along its sending and receiving process.

Secondly, technically speaking, personnel working in the telco can also easily manipulate the SMS as the control is with them. This is very likely the case as happened to Telegram users in Iran.

Thirdly, as mentioned in the article in Focus Malaysia, the code sent by SMS can be obtained using social engineering.

Fourthly, as SMS is sent to the phone, in the event the user lost his/her phone with the mobile apps of online banking, online stockbroking, etc., if the mobile apps are using SMS for authentication, whoever who got the phone can easily take control of the user's accounts, unless the SIM card in the phone is immediately barred, which then disables its SMS function.

As for the case of Telegram app, you can further secure your Telegram account by activating two-step verification, which will require your password to login beside your mobile phone number.

To activate two-step verification in Telegram app, go to Menu > Settings > Privacy and Security > Two-Step Verification and set your recovery email there. Your email can then be your last resort to safeguard your account from hijacking.

Hint: Click on the "Older Posts" link to continue reading, or click here for a listing of all my past 3 months articles.