Insights For Success

Strategy, Innovation, Leadership and Security

Samsung Note 7 to come bundled with McAfee security

GeneralEdward Kiledjian

Itell Security (formerly McAfee) announced that the Samsung Note 7 will come bundled with McAfee VirusScan mobile security. The press release claims "Samsung customers can enjoy better protection from more diverse and sophisticated threats in mobile world."

Truth be told, I do not advocate using an antivirus on Android smartphones but you have to ensure you don't break any of the built in security features (like side loading apps). To me, this looks like the kind of bundling cash grab we see in the PC space (manufacturers get $1-$5 to bundle an app in the base image helping make the device a bit more profitable). What's surprising is that Samsung would do this kind of bundling deal on its premium $800+ flagship smartphone.

Intel Security to expand mobile security technology to Samsung Galaxy Note7 and Tizen OS based Samsung Z2

- Samsung’s latest Galaxy Note and Tizen OS based Z2 smartphone will come pre-installed with McAfee® VirusScan® mobile security and anti-malware technology
- New ransomware grew 24 per cent quarter-over-quarter in Q1 2016 in Intel Security McAfee Labs Threats Report – June 2016
- Samsung agreed to expand protection from new Samsung Galaxy Note7 to Tizen OS based Samsung Z2

SANTA CLARA, Calif. – Aug. 23, 2016 – Intel Security announced that Samsung’s latest smartphone, Galaxy Note7 and Tizen OS based Z2 will come pre-installed with McAfee® VirusScan® mobile security. McAfee VirusScan Mobile is an anti-malware technology solution that is already helping to provide a more secure mobile experience to millions of Samsung Galaxy users globally. With this collaboration, Samsung customers can enjoy better protection from more diverse and sophisticated threats in mobile world.

According to Intel Security’s McAfee Labs Threats Report – June 2016, there are 305 new threats every minute, or more than five every second. New mobile malware grew 17 per cent quarter over quarter in Q1 2016. Total mobile malware grew 23 per cent quarter over quarter in Q1 2016 and 113 per cent over the last four quarters. In particular, new ransomware rose 24 per cent in Q1 2016 due to the continued entry of relatively low-skilled criminals into the ransomware cybercrime community. This report showcases the need for security against a growing volume of mobile malware and expanding attack surface.

“Mobile threats continue to grow and be more sophisticated as we become increasingly connected. Now mobile devices are the tip of the spear for new hacking methods,” said John Giamatteo, corporate vice president at Intel Security. “Intel Security is combatting these growing mobile threats by collaborating with mobile device manufacturer Samsung to keep customers’ mobile devices, data and privacy safe from vulnerabilities.”

”New customers of Samsung Galaxy Note7 and Samsung Z2 now can enjoy mobile experiences securely with the latest anti-malware solution that Samsung offers,” said Henry Lee, vice president of Mobile Security Technologies of Samsung Mobile. “Security and privacy are at the core of what we do and what we think about every day. It is very important to provide a high level of protection at all times to our customers.”

About Intel Security

Intel Security, with its McAfee product line, is dedicated to making the digital world safer and more secure for everyone. Intel Security is a division of Intel Corporation. Learn more at www.intelsecurity.com.
— Intel Security

Review of JLAB Epic 2 bluetooth sport headphones

GeneralEdward Kiledjian

Introduction

We are a couple of weeks away (probably) from the announcement of the next iPhone and rumors are swirling about the headphone jack being ejected. This means you will have to buy Lightning port headphones or Bluetooth (my vote is Bluetooth for everyday use). Who wants wired headphones that get tangled and caught on things?

What attracted me to the JLAB Epic 2 was the promise of 12 hour battery life and a secure fit. Until this review, the most secure fitting headphones I have ever tried are the Jaybird ones (Sprint and X2).

Sound Signature

The JLab Epic 2 in an in-ear style exercise Bluetooth headphone and the sound signature is clearly aligned with that target market. The sound is tuned to enhance bass (not as much as Monster or Beats headphones) to keep you pumped during your exercise session. If you are looking for a more neutral / balanced sound then this is not for you.

Design

The Epic 2 can be stealth (black version) or very flashy (blue/grey or teal). I opted for the blue/grey. 

You expect sports headphones to be able to handle a much higher level of abuse and the JLAB Epic 2 doesn't disappoint. The product is certified IPX5 which means you can rinse it off after a workout and it can handle sweat and light rain. Just make sure you leave it out to dry otherwise you will shorten the devices useful life.

IPX5 means it can handle water being sprayed on the product from any direction. It does not mean you can wash it with a pressure washer (won't protect from strong jets of water) and you can't dunk it (it is water resistant not water proof). No other major brand can come close to the protection offered by JLAB (not even the venerable Jaybird which labels its products only as sweat resistant).

The material directly around the headphone (aka the part that goes behind your ear) is more rigid which means it will hold a hook shape and stay in place. Couple this with 8 different types of eartips in different shapes & sizes and you are sure to get a very secure fit. 

The JLAB Epic 2 has a small control box that houses the battery, a flap covered USB charging port, a microphone and the usual buttons. Pressing the up/down arrow adjusts the volume. Pressing and holding them skip's or rewinds the song. Pressing and holding the middle multi function button turns the device on/off. Pressing and releasing the middle multi function button pauses the music. 

The antenna

JLAB has spend a lit of marketing space promoting their "RADICAL SKIP-FREE SOUND WITH BEACON™ SIGNAL TECHNOLOGY". I compared reception (or lack thereof) to different Bluetooth headphones from Jaybird, Monoprice, MPOW, Motorola and Beats. I tested it by holding the phone in different places:

  • In my left/right hands
  • In my left/right/back pants pockets
  • In my dress shirt pocket
  • In my shoulder laptop bag

Each test was performed with an iPhones 6s Plus and a Motorola Moto G (Android). I walked outside at least 5 minutes with each pair of headphones in each location. Does the JLAB Beacon signal technology make a difference? Not really. It worked perfectly where the others worked perfectly and it skipped where other products also skipped. 

JLab’s Beacon Signal Technology failed to impress me during my tests.

Performance

I tested the audio quality with on device AAC high powered bass heavy songs and with FitRadio steamed mixes. The first thing I noticed was that the JLAB Epic 2 can get very loud, and that's a good thing. Even with a high bass songs (AAC & streamed) at maximum volume, I didn't notice any distortion. Testing music at more reasonable levels, the bass still stays strong. 

Using the song Africa by Toto (don't judge my music selection), you can hearthe bass enhanced tuning of the Epic 2 (compared to the other Bluetooth headphones). The only other pair with more extreme bass was the Beats (which has a sound signature I dislike).

Using opera, you can again hear how much it emphasizes the bass. This gave me an idea. I love listening to talk radio, podcasts and audiobooks. I realized the enhanced bass also enhances male voices, which made listening to these types of content very enjoyable. 

At no point during my testing did the music sound muddy, garbled or sub-par.

The Jaybird Sprint, Jaybird X2, MPow and Monoprice bluetooth headphones deliver a more neutral sound signature. 

Comparing the Jlab Epic to the Jlab Epic 2

If you already own the JLAB Epic, what does v2 bring to the table? It brings improved water resistance (IPX4 to IPX5). The circuit board in the control unit is now coated to protect the headphoneseven if moisture enters from the USB charging port through the flap. 

JLab also says the antenna is greatly improved but in my tests, I didn't notice it. 

The button arrangement is a little different (not good or bad just different).

The cable (connecting both ear buds) is coated in a matte feeling material JLAB says will minimize tangling and less rubbing sounds when you are working out. I can confirm that these statements are accurate. 

Jlab now includes 2 more tips in the original kit which could help if you had issues in the past. My ears are "normal" sized and I have never bought a pair of headphones that didn't fit.

The flaws

All Bluetooth headphones suffer from the fact that they add one more device you have to remember to charge. If you are forgetful, maybe opt for something with wires instead. JLab's EPIC 2 regularly delivered close to 12 hours of use per charge, which means it is much less likely to die during a workout [than most of its competitors] (Beats got less than 6 hours; Jaybird X2 got about 8 hours, MPow got less than 3).   

If you have large outer ears and deep ear canals, getting a tight fit might be difficult with the wrap behind ear design, but for most "normal" people, this isn't an issue. 

And that's it. I really had to think hard in order to find some flaws. This thing is well designed. 

Summary

Pro

  • Light set of Bluetooth headphones that regularly get 11+ hours of play time per charge
  • Water resistant design (aka rinsable to get the funk out) 
  • Good audio volume with enhanced bass response
  • Works with iPhone and Adnroid devices

Con

  • Even for Bluetooth headphones, the sound quality could be improved (particularly clarity and mids/highs).

Conclusion

Jlab has produced something very impressive with the Epic 2. They are priced much more competitively than other high end sport headphones and the waterproofing/battery life is excellent. 

I just can't recommend these headphones enough. I love them and they have become my daily use headphones while commuting.

 

Review of Sugar Mobile Canadian cell phone provider

GeneralEdward Kiledjian

As a Canadian, I wish we had more mobile phone competition to fuel innovation and drive down prices. Starting a new cell phone provider is expensive. You need licenses, towers and lots of equipment & people.

Sugar Mobile is a Canadian mobile phone competitor that wants to use VOIP technology to "disrupt the mobile marketplace". Sugar Mobile leverages the VOIP infrastructure of its parent company Iristel and the cell phone roaming agreements of sister company Ice Wireless. 

The claim to fame is unlimited North American VOIP calling for $19 a month (which includes 200MB a month of 3G data anywhere in North America). If you use it at home, in the office and coffee shop, you leverage existing WIFI. Anytime you are out an about, your cell uses one of the roaming partners to give you coverage. If you deplete your data allocation for the month, you can buy another $19 card and re-add 200MB or you can use your $19 credit to add 500MB of non expiring data.

Sugar Mobile uses Shoppers DrugMart (Pharmaprix in Quebec) and 7-11 stores accross Canada to sell its credit vouchers. 

How does it work

Unlike US hybrid carriers, Sugar does not offer specially configured mobile phones so you use their service on your unlocked phone via their app. This means you can't use the built in dialer or SMS app on your phone. The app first tries connecting via WIFI then fails back to the cell phone network (you can change this behavior if you want).

Think of Sugar Sync of a amped up Skype or Vyber. Where Skype and Vyber rely on the user to buy mobile data, Sugar leverages its existing relationships with carriers like Rogers to bundle VOIP calling with mobile data. 

The mobile data is too small to stream content, browse data heavy webpages or use navigation regularly. It is enough however (the company believes) to give 80% of its customers more than enough wireless data to make calls until the cows come home.

If you want voicemail and caller ID, you need to pay a one time $19 activation fee.

The app

Considering Sugar Mobile is targeting younger cost conscious pre-paid customers, I chose to conduct my tests on a 2015 Motorola Moto G (which is an entry level Android device which sells for $300 unlocked).

The app installation was fast and easy from the Google Play store and creating my free WIFI only test account took 5 minutes. The app is stable and never crashed during my testing. Any calls made to my Sugar Mobile number reliably rang my phone and allowed me to answer it.

Setting up a conference call is easy and reliable. You dial the second participant, click the join button and voila.

You also have a big red record button.

In the app, you can change these recording settings:

  • ask the service to record All voip calls
  • you can record multi-channel audio (each participant has their own channel in the WAV file)
  • you can choose to have recordings auto-deleted after an elapsed time
  • you can ask the app to make an audible beep when recording is started
  • you can send recordings via email. 

Does it work?

I loaded up the free VOIP only version on a dedicated  Android 2015 Motorola Moto G device (freshly installed Android 6 with no other apps). I loaded and configured the Sugar Mobile app and tested it on a commercial grade internet connection with commercial wireless Cisco gear and a 100MB synchronous internet connection. I wanted to make sure my internet connection didn't introduce any issues.

Before testing Sugar Mobile, I ran a bunch of network tests to ensure the connection was stable, performing optimally and had sub 3 millisecond latency. 

I tested the SMS feature and it worked flawlessly. Messages went back and forth quickly. SMS is easy.

I then made a handful of calls to landlines and cellphones. This is where I encountered the dreaded VOIP calling issues. Skype uses advanced codecs to create a beautiful natural sounding reliable connection (for voice at least). But Sugar Mobile was more like the traditional run of the mill Voip services like Fongo, Whatsapp, Facebook Messenger, Vyber, Telus Extend, etc. 

Sometimes the other person heard me perfectly, other times they couldn't hear me at all. Sometimes the sound was crystal clear other times my partner said I sounded robotic. 

Therein lies the issue with all VOIP providers. Quality isn't a constant. This isn't a Sugar Mobile issue and I experience worse performance from the Telus Extend VOIP app.

Conclusion

I think the concept is good and this makes a decent cheap second line as long as you have regular access to reliable WIFI and have an extra unlocked smartphone. $19 isn't too expensive considering you get 200MB of mobile 3G data a month to use when out and about. Unused data rolls over to the next month and you can always buy more data for $19/500MB.

I have to conduct some more tests but if I want to make a VOIP call and already have access to WIFI then I'll rely on Google Hangouts or Telus Extend (both free). 

I just can't see me using Sugar Mobile as my primary mobile phone service.

 

 

Update 1

Shortly after publishing this article, I started having issues with the app. It started crashing and even after a fresh device reboot, I started having login issues (kept saying registering). After 4 reboot attempts, I gave up and uninstalled / reinstalled the app and it started working again. 

Why use Facebook over the TOR secure network

GeneralEdward Kiledjian

When people think about the TOR network, they either think its a means for criminals to buy illicit products or for fugitives trying to hide their online activities from the law. Tor is much more than that. It is a mechanism to protect your online activities when needed.

Sitting at home, my packets bounce through dozens of different routers before they arrive at their final destination. I just performed a traceroute and had 11 hops between my computer and the Facebook site. Facebook has implemented a handful of security tools to protect your communication with it, but ultimately anyone in that chain knows where my packets are coming from and where they are going. Facebook also knows my source IP which allows it to pinpoint my (fairly accurate) location. 

There have been many highly publicized cases where twitter handed over location and IP information to law enforcement. It is safe to assume Facebook is in the same boat. Anything these companies can log could be turned over. 

ISPs monitor what you do on the Internet and sell the information for marketing purposes
— Sans Institute Security Lab

Even if you log into Facebook and they know you are, by using TOR with Facebook, you prevent your ISP or Facebook's upstream ISP from cataloging your behaviour and then selling it for marketing purposes. You also prevent Facebook from knowing exactly where you are (unless you've given them the permission to use your smartphone's GPS). 

Tor can’t solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don’t want the sites you visit to see your identifying information.
— TOR project

Prior to Facebook implementing a TOR presence (https://facebookcorewwwi.onion/), accessing it usually meant you had a slow performing site that typically didn't render properly. This access issue stemmed from the fact that the Facebook's site management system viewed all TOR traffic as malicious botnet traffic and treated it accordingly. (Accessing Cloudflare protected sites or many Google properties via TOR will see you be given a challenge, to prove you are not a bot trying to attack their systems). 

Cloudflare captcha challenge when you access my site via a TOR enabled browser.

But Facebook understood that there are people that needed to use their service without leaking identification information like IP address, physical location or access route. You could be a Tibetan freedom supporter but still need to communicate with your Facebook community in the diaspora. You are less worried about Facebook knowing you and are more concerned about others knowing that you are accessing Facebook.

I tested the new site and compared it to using the regular Facebook site via TOR and the new purpose built solution is much better. In this case better means faster, more responsive and works as expected.

Facebook supporting TOR also legitimizes TOR and allows others to follow in its footsteps more easily. As an example, it was the first time a major Certificate Authority (Digicert) issued an encryption certificate allowing a site to setup an HTTS connection.

Now to be fair, this generated a tone of debate inside the security community because technically TOR offers secure communication by default without needing a certificate from a Certificate Authority.  Many security researchers saw this as a cash grab by certificate authorities but others supported it as a move towards a more private internet. Since we (the security community finally) have  brainwashed people into thinking https good - http bad, we don't want to start breaking that important habit.

Benefits of a .onion address

A .onion address is the equivalent of a .com on the normal web except it brings with it 3 main benefits.

  1. A TOR service uses TOR circuit technology which makes locating the endpoint very difficult.
  2. The .onion address is a hash of the site key which means it is self authenticating. When you visit a .onion address, your browser automatically authenticates that you are actually talking to the site you think you are talking to.
  3. There is a process called rendezvous which provides end to end encryption for all traffic using a tor service even for unencrypted apps. This is why the communicate had a heated debate when Facebook implemented a TLS certificate for its TOR site.

How did Facebook get its .onion address?

In the above list, item 2 says the .onion address is a hash of the site key. Then how did Facebook manage to get something as memorable as https://facebookcorewwwi.onion/ ?

After all typical TOR hidden service addresses don't look that "normal". The TOR hidden service address for the DuckDuckGo search engine is http://3g2upl4pq6kufc4m.onion/  It isn't as easy to remember as the Facebook one is it?

They didn't bribe anyone and they didn't break the rules. They actually tested thousands of keys. They started testing keys where the hash of the first 40 bits would generate "facebook". Once they found this, they used the remainder to find keys that would generate memorable works (in this case settling on "corewwwi").

So Facebook played by the rules and still got what it wanted, a memorable TOR hidden service address.

    Securely Access Facebook via TOR on Android

    As more and more of Facebook's customers access the site via mobile device, the security team decided to accommodate them and did the unthinkable: Facebook added TOR access to its mobile app using the wonderfully simple TOR gateway Orbot

    To use this feature, download Orbot :

    • from the developer as an APK
    • from FDroid
    • from the Google Play store

    Once it is installed and activated, go back to the facebook app and browser the settings screen until you see App Settings then turn on the TOR functionality.

    Only weirdos would use TOR for Facebook. Right?

    On April 22, Facebook announced that 1M people had used Facebook via TOR during a 30 day cycle. 

    This growth is a reflection of the choices that people make to use Facebook over Tor, and the value that it provides them.
    — Facebook blog entry

    1M users is just a small sliver compares to Facebook's overall user population but it is still 1M people that probably wouldn't have been able to use their service. And use of TOR for Facebook has been increasing steadily since its launch.

    TOR is slower

    The one complaint I hear from TOR users is that TOR is slower than the "normal" web and this is true. When driving from A to B, the fastest route is always the direct one. If you take 12 detours, your trip will be much longer. The same is true for TOR traffic. To protect the identity of the source and destination, every packet is whirled through many different TOR nodes across the world and encrypted/decrypted. This is a necessity but does slow down browsing.

    Donate to the TOR project

    The TOR project is a 501(c)(3) USA not for profit research organization and it depends on donations to keep going. If you believe in what they are doing, why not throw a couple of dollars their way and help them continue making TOR faster, better and more stable

    Donate here

    Images

    Facebook TOR mobile login webpage

    You will still be challenged to validate the browser if its the first time you are using it to log in or you configured your TOR browser to automatically clear all data after each session. Using the mobile app via OrBot on Android prevents this.