You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

• all software has bugs (try as we might, this remains true for anything other than simple programs)
• some percentage of those bugs are security-related (call it the law of averages)
• therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple has done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

Advertisement

Wi-Fi (non)Sense

Ever told someone a secret only to find out later that they blabbed it to everyone they knew? Irritating, huh?

Ever let someone on your home wireless network only to find out later that all their friends now have access as well whenever they get within range? Not yet, but you will … 

… unless Microsoft rethinks a new feature they included in the latest and greatest release of their flagship OS — Windows 10. 

Generally speaking, the early reviews for Win 10 have been mostly positive. However, there’s one addition that might sound like a good idea on the surface, but once you think it through (which it seems the designers didn’t do), you quickly realize it’s a security nightmare.

The feature is called Wi-Fi Sense and it’s intended to help you overcome the complexity of letting visitors onto your home wireless network by automating the process of sharing the complex, hard to remember, even harder to enter encryption key that grants access. (You do have a complex, hard to remember, even harder to remember key protecting your Wi-Fi, right? Please say “yes.” Good.)

The problem is that it breaks the bounds of any sort of reasonable security standard by oversharing that key with all sorts of people you may not even know — many of whom you would never allow on your private home network.

Graham Cluely has a great description of the problem on his blog that I highly recommend that you read so you will have the details in a clear, understandable way that I couldn’t improve on (so I won’t even try).

Before you dismiss this as something you don’t have to care about because you don’t use Windows 10, think again. All it takes is for you to share your Wi-Fi key with any Windows 10 user who happens to have this (over)sharing feature turned on for them to automatically pass it along to all their friends even without their knowledge.

That’s right. You and all your family could run nothing but Macs or Linux but it only takes one visitor running Win 10 that you give the Wi-Fi key to before you unknowingly have shared this with all of your visitor’s Skype contacts, Outlook contacts, Hotmail contacts and Facebook friends. 

I’m not ready to go so far as to say “friends don’t let friends use Win 10,” but I will say you should think twice — make it three times — before you share you home Wi-Fi with them.

Speed Kills: DevOps and Security

It’s all about speed these days — quicker deployment, shorter time to value, instant gratification. Historically, though, one of the friction points in IT has been the invisible wall between Development, who writes the code, and Operations, who supports the real world implementation. DevOps is concerned with knocking down that wall and greasing the skids, as it were, in order to achieve a more agile and responsive software development and deployment cycle.

But what is sacrificed in the process? What risks are introduced by this amped up mode of operation?

If you aren’t careful, the answer is security.

So, some of my colleagues and I put together a brief overview on the Security considerations for DevOps adoption which was just published over on the IBM developerWorks web site. In the paper we discuss some of the issues that need to remain top of mind so that you can still realize the benefits of DevOps without killing security in the process.

Twitter knows where you live

Here’s a cool/creepy thing to keep in mind … when you post to social media or take photos with your phone, it is entirely possible that your laptop or mobile device is also adding location data to your work. This could be a very useful feature if where you are adds context to your posting, such as where you were when you took that awesome shot of the sunset over the ocean (which ocean?  which beach? what season?) or if  you just tweeted about a great slice of pizza others may want to know where so they can get one too.

On the other hand, if you weren’t aware that this information was being captured and made available for all to see, you might not think it was such a great idea. For instance, you could be passing time in a doctor’s waiting room tweeting about last night’s game and not realize that you’ve just told the world that you have a medical problem of a somewhat sensitive nature.

For a real world example of this, I used a tool at http://teachingprivacy.icsi.berkeley.edu:8080/#project to view the comings and goings of one of the giants of the IT world. I’ve redacting his actual Twitter handle out of respect for his privacy but what I found was publicly available information that anyone could easily obtain. The screenshots below reveal what I found with just a few clicks …

 

As you can see our subject is quite the world traveler but he spends most of his time on the West Coast.

 

 

 

 

 

 

 

Zooming in on the red “hot spot” from the previous image shows that he is probably based in Silicon Valley.

 

 

 

 

 

 

Zooming in further still shows a Google map with one of the tweets coming from a urologist’s office.

 

 

 

 

Maybe he was just there to work on their computers but, still, it’s probably not what he had in mind to blast out to the Twitterverse when he wrote that tweet.

A similar bit of stalker magic is available from WeKnowYourHouse.com which correlates tweets using the words “home,” “house,” etc. with the geolocation from Twitter to assert, with reasonable confidence that you live at the following address …

Pretty creepy, huh? Consider yourself forewarned and double-check those settings to make sure that you aren’t guilt of revealing TMI…

What is the most secure OS?

Want to start an endless debate with a room full of techies? Assert that a particular operating system — pick any — is more secure than all the rest then sit back and watch the factions form. Some will argue that Mac OS X wins because of the relatively small number of known malware exploits as contrasted with Windows. Others will point to Linux’s built-in security model as superior to the competition. Windows fans will point to a vastly improved track record in the security area over the past decade. Still others will say that the mainframe’s z/OS and it’s related predecessors have proven their strength over the long haul running many of the world’s most critical transactions since the 1960’s.

Who’s right? Answer: I’ve used them all and I would say it’s none of them and all of them. Macs aren’t immune to malware as Apple’s own employees found out — the hard way.  Windows wears the largest bull eye by virtue of its pervasive presence in the market so it will always victimized by bad guys. Linux’s strong security features may be beyond the grasp of casual users. z/OS has benefitted from something of a “security by obscurity” position, which means latent vulnerabilities could be there for the taking.

Not a very satisfying answer is it? Maybe a better way to rephrase the question would be not “which is the most secure?” but rather “which is the most securable?”  The latter takes into account a larger understanding of the role of the user/administrator in the security ecosystem. In other words, it’s not just about technology but also people and process as well.

Yet another way to look at it is to say that the most secure OS is the one that you configure and use properly. The fact is that any of these options can be good or bad depending on how they are deployed and executed. That’s my answer. Now I’ll sit back and watch the various OS fanboys fight it out …

 

P.S. Here’s a nice write up on “Four easy ways to protect your Mac from malware,” which is a question I get from time to time.

WITX Security Panel

I’ll be serving as a panelist at the Wilmington Information Technology eXchange and Conference hosted by the University of North Carolina Wilmington on April 18, 2012. I’ll be joined by Jonathan Campbell, CSO for New Hanover Regional Medical Center, with the subject of our discussion being “Security and Privacy Concerns including Mobile Device Management.” I plan to give a brief overview of the latest attack trends with a focus on one of our most challenging areas for security — how to handle the proliferation of mobile phones, tablets and other devices that are cropping up in greater numbers in corporate environments. For more information on the event click on the image below …

LinkedIn – a hacker’s dream?

My previous posting dealt with a technical attack involving malware being distributed through social media. Here’s a story on how social media sites can be used for social engineering to entice users into being attacked.

http://money.cnn.com/2012/03/12/technology/linkedin-hackers/index.htm

The article points to how information gleaned from LinkedIn profiles can be used to target users with more plausible attack scenarios — a.k.a. spear phishing. It describes how one person was able to get added as a connection to more than 60 people at a company where he posed online as a worker and then proceeded to get himself added to a private LinkedIn discussion forum.

• “Now I had an audience of 1,000 company employees,” O’Horo said. “I posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, I got 87 hits — 40% from inside the corporate network.”

Of course, the risk here is that the fake page could have been infected and used to distribute malware as previously described. But is this really a problem with LinkedIn? Should we avoid social networking sites as a result?

I would say “no” and “no.” The real issue here was that people were trusting things they shouldn’t trust. If someone had bothered to find out who this guy was before adding him to the private discussion forum, it wouldn’t have been an issue. Also, if users had been more discerning as to which links they clicked on, it wouldn’t have been an issue.

The point really is what and whom should you trust? LinkedIn, like any social networking site, is only as good as the information in it and only as trustworthy as the people posting to it. It seems that every time we develop a new communications forum, whether it be snail mail, telephone, email, SMS, or social networking sites, we have to re-educate ourselves as users as to what is and is not reasonable and responsible behavior within this new context.

Hackers know this and it’s how they are able to exploit these windows of opportunity with each new turn of the technological crank. The onus is on the good guys to maintain a healthy skepticism when moving into new forums or risk being the next victim.

Social Media INsecurity

Welcome to Inside Internet Security — the blog. I qualify it that way since it is named after a book I wrote about a dozen years ago which, in a sense, served as the launch pad for what has been an amazing personal journey through the intricacies of IT security in the age of the Internet.

It seems somehow appropriate to commence this new (for me) means of outreach through social media with an exploration of some of the security risks inherent in this format. So in that spirit, I offer up a link to a keynote talk I did in September of 2011 at the New York Institute of Technology’s Cyber Security Conference for your consideration in hopes that it will provoke some thinking on the topic.

In this talk I discuss some of the vulnerabilities in the social networking format as well as cite examples of real world attacks and compromises that have occurred on Facebook and LinkedIn along with some discussion of the weaknesses that exist in current authentication technologies such as passwords and biometrics. (There were some technical difficulties with the audio at the start but it smooths out soon.)

Enjoy …

NYIT Cyber Security Conference: How Secure Are We? Identify Management and Social Networking Threats