In my previous two postings about mobile device applications security I’ve described some of the major vulnerabilities in these applications as well as security features in them (if such features exist, which is typically not the case). But there are also other security considerations concerning mobile device applications that must be taken into account. One particularly important one applies to iPhones. A newly installed iPhone is in a “factory state”—the only changes to the system itself should be Apple updates. Certain iPhone applications require significant changes in the phone to be made if they are to be installed successfully, however. These changes, called “jailbreaking,” involve overwriting the iPhone’s firmware. For example, one of the best and most popular iPhone forensics tools, iLiberty, requires that an iPhone be jailbroken. Once an iPhone is jailbroken, not only certain applications but entire application bundles can now be installed on it. It is also possible for a jailbroken iPhone to connect to a 3G network service provider other than AT&T, the thought of which I am sure AT&T does not relish. Read more…
In my last blog entry I discussed the types of mobile device applications that are available and some of their many vulnerabilities. Presenting problems without offering solutions is a bad practice, so in this blog entry I’ll discuss solutions that are available. The problem here is that the most obvious solution whenever a vulnerability in a piece of software is discovered is for the vendor of that software to create and distribute a patch, but developers of mobile device applications are almost without exception not doing this. There appears to be a sharp bifurcation concerning the view of the necessity and urgency of patching mainstream applications versus mobile computing applications. I suspect that the reason is that the latter are used almost exclusively for personal reasons, whereas the former are used proportionately more for business reasons. Additionally, there is currently not much opportunity for developers of mobile device applications to financially profit from their endeavors, and as such developers are likely to view undertaking potentially arduous tasks such as analyzing and patching vulnerabilities as a waste of their time. Read more…
I’ve already written several blog series covering mobile computing security and mobile device forensics, and it has been gratifying to discover the number of you out there who have read these postings. Because of the potentially great level of security risk that mobile computing introduces, I feel that starting another mini-series on mobile computing would be valuable to you, so here goes.
The risk that goes with mobile computing does not stop with risks associated with mobile devices’ operating systems and network mechanisms. Part of this risk is also due to applications that run on these devices. The number of mobile device applications is expanding at an ever-increasing rate. The types of functionality that they provide include: Read more…
There has been a lot of discussion about application-layer firewalls over the last few years, and the popularity of these devices has grown considerably. Wikipedia defines application firewalls as “…a computer networking firewall operating at the application layer of a protocol stack. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to monitor one or more specific applications or services (such as a web or database service), unlike a stateful network firewall which can provide some access controls for nearly any kind of network traffic.”
There is a very obvious need for application-layer firewalls. The main two targets of today’s cyberattacks are browsers and Web applications. Although application-layer firewalls cannot do much to stave off attacks against browsers, they can do much to protect against attacks against Web applications. Read more…
We all know that passwords are not all that good of a security control measure, yet in systems and networks worldwide they lamentably remain the most commonly used form of authentication. In previous blog entries I’ve summarized and discussed some of the previous studies on passwords that Dr. Robert Proctor of Purdue University, Dr. Kim Vu of California State University-Long Beach and I have done over the years. Some of our findings were that longer passwords were under a number of conditions no more difficult to crack than were shorter ones, something that attests to the power of today’s password cracking tools, and that more difficult-to-create passwords were not significantly more difficult- to-crack, either, although they were more difficult to remember.
What these results have clearly showed is that a lot of myths about password security exist in the world of information security, and unfortunately these myths have been the basis of password policy provisions that are downright specious. Over the years I have taught numerous operating system security courses. When I have covered recommended password policy settings, I have not infrequently been challenged by those who think that requiring passwords to be changed every 90 days or allowing passwords less than 10 characters long is inadequate for security’s sake. Yet the results of empirical research clearly show that the individuals who have objected to these settings are off base. Read more…
In part one of this blog, we explored how clueless regulators levied an almost ridiculous standard of control on securities firms over 15 years ago in an effort to get ahead of the curve on the rapidly growing phenomenon of Internet communication. At the time, they told securities firms to “archive everything forever” which of course at the time no one had any idea how to do. In part one of this blog, we discussed how regulators had been essentially behind the curve on monitoring of electronic communications and how this has led to what could be perceived as an overcorrection by regulators to try to get a handle on communications by people involved in the securities industry.
No one really disputes that there is a legitimate government role in monitoring securities markets for inappropriate activity that could indicate an illegal breach of insider trading and other arcane securities laws. Problem is, with the multitude of communications channels now available to every employee and every relative of every employee of every securities firm, firms and regulators face a daunting task in monitoring of communications. When I started my employ at a Wall Street firm, one of the things I had to do was register all of the open securities accounts in my name. Six weeks later, I was called into the office of one of the compliance officers of the firm and asked to explain why I had omitted a particular account. Surprised by the existence of this account, I explained that apparently it was an account created by an overzealous commodities account rep hoping that I would become an active commodities trader. The balance in the account was $.62 in a gold fund. Despite the small amount of the account balance, it was a dead serious meeting with the compliance officer. Basically, he had grounds to fire me for misrepresenting my list of registered security accounts. Only when I offered a lame excuse that I did not know the account had been opened up on my behalf and that there was no activity in the account whatsoever other than the opening balance, was I let off the hook with a warning. At that firm, as is true with most securities firms, one may only have an account which resides at the firm and which is subject to the intense oversight of firm compliance officers who regularly check for activity in sensitive securities. For example, say I decide to buy 100 shares of Cisco. For an employee at the firm, a few days might elapse and then a call might come from the compliance department saying “you know that trade in Cisco last week? Well, that trade never happened.” This would be a sign that there was likely some transaction involving Cisco being managed by the firm for which any activity by a firm employee in Cisco could be viewed as suspect. No one grateful for their paycheck at a securities firm really argues about this kind of enforcement. Read more…
Mentoring is a potentially magic word in the workplace. Experienced professionals “take into their care” more junior employees and teach them skills that they otherwise might never have learned. “Learn from the experts,” so they say, and no better example of this than on-the-job mentoring exists. A dedicated and experienced mentor can make a huge difference to an organization—mentors in effect bring the next generation of employees to the next level—the point to which those have been mentored can deal with situations and issues that it otherwise could not have dealt. Mentoring also can drastically reduce training costs.
I know of some senior information security professional who invest the time and effort to mentor those who work for them. I fear, however, that these individuals are very much the exception to the rule. In contrast to, say, ten years ago, the nature of jobs today has changed drastically, and with these changes have come significant obstacles to mentoring. Some of these obstacles include:
• Busyness. Both potential mentors and potential to Read more…
Mica Endsley introduced the notion of situational awareness in dynamic systems in 1995. An oversimplified summary of what he wrote is that systems produce information that can help people become more aware of what is going on around them.
The longer I have been in the information security arena, the more I realize just how important situational awareness is. But situational awareness is far greater than the result of interacting with systems. We are bombarded with information from a myriad of sources every day. It is truly a rare individual who is able to filter out irrelevant information and tune in to relevant information. But even people who possess amazing filtering capabilities may miss information that may be extremely relevant to them and their job, and they thus may not be as situationally aware as they could and should be. Read more…
