Category Archives: Security Misc

Maker Faire Kathmandu


I just returned from Kathmandu after a great weekend presenting our Hive Sense project. If you don’t know about Hive Sense it is a project we started under Random Hacks of Kindness (RHoK) Ottawa to help Algonquin College monitor some bee hives. The goal is better understand bee behaviour and find out why bees are dying while teaching students about where food comes from and our impact on our food chain. We are in the process of helping get relocated hives under monitoring and will provide a link to this data in the coming months.

Our hope is to help better educate people on the importance to bees and the fact that without them we would not have any fruits or vegetables. Bees are responsible for one out of every three bites of food we consume and are an agricultural commodity that’s been valued at $15 billion annually in the U.S. alone. They are a major unpaid workforce with a huge work ethic — bees from one hive can collect pollen from up to 100,000 flowering plants in a single day and pollinate many of them while doing so. They are a critical part of our food chain and they are dying but most people appear to be not alarmed by this — but they should be! If the bees are dying from pesticide exposure or other environmental factors what impact is it having on us and our children? Cancer, DNA mutations, who knows? We need to collect the data to better understand the problem.


These are important questions that need to get answered but I am not a research scientist. I am technologist that can build solutions and so we are doing our part to help in both bee and agriculture research. Oh, did I mention this is an IoT solution.

As for the Maker Faire Kathmandu, it was great to see so many people out. While it rained buckets the first day and our booth got flooded – funny now but the thought of having my Mac book destroyed from a power surge was a bit overwhelming at the time. That said the interest in bees and bee life was awesome. It was also great to have my placard (see above photo) signed by so many people.

I hope to return some day to Nepal. The people are very friendly and love talking to you. I love all the temples around the city and was able to get a bird’s eye view of Mount Everest in all its towering majesty. (see below)



Cyber Canucks EP 6: Protecting your Kids Online

We hope you enjoy episode 6 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Evaluating Apps for your Kids – Discuss with your kids how they are going to use their devices and what kinds of apps they can install
– Watching what your kids are doing online –   How can you track what your kids are doing…there are apps out there and parental controls
–  Privacy for your kids –  How much privacy do you want to give your kids
–  Cyber Bullying – Discuss Cyber Bullying with your kids and educate them


For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.



Cyber Canucks EP 2: Selecting Mobile Apps for Your Company

We hope you enjoy episode 2 in our series of podcasts on cybersecurity.

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Where did the App come from – apps can be downloaded from the Apple app store, Google play or third party web sites.
– Who developed the App – Large to medium organizations tend to be safe but do some research on the app, history of the app and the developer
What personal data does the App use –  does it use company data? does it use a cloud service?
– Where is the App connecting to – most apps connect to various endpoints but who is on the other end? Is it safe?
– Is the App patched or up to date –  around security

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.



My personal data is where?

Piggybacking on my last post ( )  we were concerned with the security of your data in the cloud…well now you need to be even more concerned.

Your child wants to be just like mom or dad and you buy them a toy tablet that even has an app that allows them to share their photos with their friends…they love it. Yes! So do the hackers that just found all your child’s photos and information ( the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids ) Excuse me? Yes! that is correct.

News Story

Better yet all of  your child’s information is being stored in some far off country that has different laws than you are accustomed to or expect. In a recent vulnerability assessment that TwelveDot completed we found that a large well known provider of information services hosts their data centres in Asia. Most people incorrectly assume their social networking information is stored close by safe and secure within the confines of their country.

Parents need to be more vigilant when sharing information with others. Who are you sharing it with? What information are you sharing? I am sure that most of you have seen the family stickers or stick figure characters on the back window of minivans and other vehicles. I recently received a customized gift in the form of a coloured family sticker for my minivan. Each figure clearly demonstrates the specific trait associated with each family member. I accepted the gift but informed the person that I would not be putting it on my minivan…huh?

I see your stick figure family…I know that dad works in construction or enjoys building. I know that mom works in an office. I know that little Jimmy has dark hair and likes to play hockey and little Cindy has blond hair and likes dance and that you have a cat not a dog and that was simply because I was behind you at the stoplight.

Start thinking about how much you want to expose yourself and your family when using products that collect data. Start to question the product company and get to know what their security and privacy policies including where your data is physically located. You may also ask who do they provide their data too as many cloud service providers sell their data as source of revenue.


Securing your device from Malware

Android and iOS devices both attempt to secure their OS from Malware and other vulnerabilities. They implement a myriad of security features in each new release, but that is just not good enough. Users still need to be vigilant and keep an eye on things.
You may not be able to adhere to everything but here is a list of things you can do to secure your device.


1. Don’t download apps from 3rd party sites

Avoid installing Android Package Files ( .apk’s) directly to your device. “Sideloading”, as it is called, installs apps not from Google Play but from 3rd party sites. The app may look exactly the same as it does from Google but may be repackaged to include malware. The signs of compromises are difficult for many users to identify, so don’t take the chance.


2. Don’t grant administrator access or extra permissions

Many apps ask for permissions to your device that they really don’t need. Before installing an app find out what permissions are required and if you don’t feel comfortable don’t install it. Is that app absolutely necessary? If you are seeing lots of adware then its probably too late but you still have the option of uninstalling the app.


3. Install a security application

Free security apps like Lookout do a decent job of scanning your device for malware, viruses and spyware. The security app will find the apps that are causing you problems and incorporates a malicious website blocker. If possible implement a security app but make sure you do your due diligence on the security app. Check the reviews to see what others are saying about the app.


4. Keep up-to-date on OS and app updates

This is a simple step but it keeps your operating system and apps up-to-date. These updates are often patches for security leaks and known or new found vulnerabilities. You can close the door on thieves but the door needs to be locked as well.


5. Disable cookies and Javascript

This is a tough one. Many apps use cookies and javascript to run. The issue here is that the majority of the apps that use cookies and javascript also incorporate analytic engines. Analytic engines will process your personal data and send it back to a corporate server. This data is even compiled offline and then sent when you are back online. Google’s policy is to retain your data for 25 months at a minimum and longer if possible…


6. Don’t jailbreak or root your device

Many users do not know what is done to the Operating System during either a jailbreak or the rooting of a device. Once completed it becomes easier to compromise a device as many users do not have the technical savvy to be able to harden a device in this state. Your dervice becomes more open to drive-by hackings especially if your using public Wi-Fi and no, you will not get a notification that your device has been compromised.


Some of these may be tough to swallow but compare that to your personal data or your banking information being freely available to the highest bidder. Keep in mind many criminal organizations are targeting individual mobile devices as they are not securely configured. Mobile has become the low hanging fruit for identity and data thieves, don’t make it easy.


I think I need to move to California

I have to say I don’t know what it is but every time I visit either the Valley or LA, I seem to get this jolt of inspiration and energy. It could be the sun or maybe the surf or just maybe all the great folks I get to hang out with.

BTW If you ever have the chance to hang out with Malaysians do! They are such a heart warming people who just seem to love life. They are smart and like to talk about all kinds of stuff {sports, politics, tech, and food especially} and most of all they like to laugh!!


Why did I uninstall Adobe Flash this weekend from every device I own? I don’t wanted to be Owned, nor do I want to take a chance of possibly exposing our confidential data. Don’t believe me — search the number of 0-days announced last week for Flash. If your still comfortable using this for animation consider that you might not be the master of your own laptop domain anymore.


Why have we turned our back on our privacy?

Today at the “Beyond Mobile” session hosted by Rogers and bv02 a question was asked about privacy. Rob Woodbridge indicated that “privacy is dead….but he hoped it was not this way.” This got me thinking why are we throwing away our privacy?

My first thought was….is this the beginning of 1984 and we have been lured into the digital crack of tech giants? They got us hooked on their tech and now we are their zombies to do as they please? As I talk to more companies about their mobile and IoT security strategies it is becoming clear that privacy is not something discussed at least not openly.

Many companies are very closed off to what they need to collect, keep and store from a user when using mobile. Most developers just opt to keep everything just incase or until the breach happens. Remember, if the feds supena the developer they have to hand over the data!

Users and companies alike need to start asking developers some honest and tough questions such as:

1. Why do you need to collect this information?
2. Do you sell my data and if so to who?
3. How is this information shared with government and law enforcement? Are you willing to publish a transparency report on these activities?
4. Can I request my information be removed/deleted when I leave the service?
5. How long do you store this data?

While not perfect you need to send the message to mobile developers that you “own” your data not them. If their usage policy indicates otherwise then you have been warned. There are option you just need to make the one that aligns to your values.


Foreign Markets for CyberSecurity

This month’s ITAC newsletter outlines our company’s joint trade mission, along with
DFATD (Department of Foreign Affairs, Trade and Development) and ITAC to Dubai.
Dubai is a growth area in many sectors, with a large emphasis on cybersecurity.
Private companies, government, and individuals take the cyber security threats seriously
and go to great measures to secure their property. Smaller companies should realign their
focus to include global markets. TwelveDot was lucky to be invited and take advantage of
this great networking opportunity.


Why paying for vulns is a bad model

There seems to be a new trend in the industry that has vendors paying for vulns. Many big vendors currently offer money for unpublished vulnerabilities. This can range from few hundred US dollars to $100K bounty for the security researcher. While, I believe it is good to deal with vulnerabilities and disclosure you have ask does the vendor actually fix these or do they just use it as cheap means to bug fix?

I would argue the later given the fact that the vendor community fought so adamantly to stop and destroy any initiative related to vulnerability disclosure policies or procedures including the recently released ISO/IEC 29147 Vulnerability disclosure standard. For such a small standard the same vendors who have try to destroy this standard are now offer $$$ for your vulns, why ROI!

Think about what would the cost be to large operating system vendor to fix a bug that impacts 100K users globally? This include engineering and testing time, marketing, and PR now then calculate the avg. salary of these staff members for a bug that takes about 1000 hours to fix. This can now be purchased for $5K. Now that is a great ROI. Remember, none (not one) of these programs indicates that it will fix the vuln only that they are willing to provide money to the finder and give them credit for finding it.

This starts a very dangerous trend in our industry that those with $$$ can control the means to protect the innocent users and businesses who are violated by using the shoddy code to begin with. It does not address the fundamental issue of creating secure code and secure testing practices which are costly to embed in to a company culture. This should be the focus of every company the produces software.

If you are a finder who has discovered a vuln here is what I recommend:

Find the vulnerability disclosure policy for the company. If they don’t have one that says a lot but reach out the security or administrative contact listed on many web sites.
Use a secure transport method to disclose the details of what you have discovered.
Keep detailed records of the event and all communication to the vendor
If you do not get a response try the regional CERT they typically have the contacts and can help with coordinating the events.
Worse case, if you feel that the vendor is not willing to work with you and the issue is critical to customers of the product or service perform a public disclosure. While I don’t condone this behavior I know how vendors behave when it comes to vulnerability disclosure so I understand the rational.

One interesting development would be the launch of companies that front the vendor for vulnerability disclosure. They are fully funded by the big vendors and have had a hand in creating the policies used for collecting vulns. Again, no mention that ANY of these will be addressed by the vendor. Do your research and make an informed decision if this is best path forward.