Archive for April, 2010

Mobile Applications Security: Part 3

In my previous two postings about mobile device applications security I’ve described some of the major vulnerabilities in these applications as well as security features in them (if such features exist, which is typically not the case). But there are also other security considerations concerning mobile device applications that must be taken into account. One particularly important one applies to iPhones. A newly installed iPhone is in a “factory state”—the only changes to the system itself should be Apple updates. Certain iPhone applications require significant changes in the phone to be made if they are to be installed successfully, however. These changes, called “jailbreaking,” involve overwriting the iPhone’s firmware. For example, one of the best and most popular iPhone forensics tools, iLiberty, requires that an iPhone be jailbroken. Once an iPhone is jailbroken, not only certain applications but entire application bundles can now be installed on it. It is also possible for a jailbroken iPhone to connect to a 3G network service provider other than AT&T, the thought of which I am sure AT&T does not relish. Read more…

Categories: Uncategorized Tags:

Mobile Device Applications Security: Part 2

In my last blog entry I discussed the types of mobile device applications that are available and some of their many vulnerabilities. Presenting problems without offering solutions is a bad practice, so in this blog entry I’ll discuss solutions that are available. The problem here is that the most obvious solution whenever a vulnerability in a piece of software is discovered is for the vendor of that software to create and distribute a patch, but developers of mobile device applications are almost without exception not doing this. There appears to be a sharp bifurcation concerning the view of the necessity and urgency of patching mainstream applications versus mobile computing applications. I suspect that the reason is that the latter are used almost exclusively for personal reasons, whereas the former are used proportionately more for business reasons. Additionally, there is currently not much opportunity for developers of mobile device applications to financially profit from their endeavors, and as such developers are likely to view undertaking potentially arduous tasks such as analyzing and patching vulnerabilities as a waste of their time. Read more…

Categories: Uncategorized Tags:

Mobile Device Applications Security: Part 1

I’ve already written several blog series covering mobile computing security and mobile device forensics, and it has been gratifying to discover the number of you out there who have read these postings. Because of the potentially great level of security risk that mobile computing introduces, I feel that starting another mini-series on mobile computing would be valuable to you, so here goes.

The risk that goes with mobile computing does not stop with risks associated with mobile devices’ operating systems and network mechanisms. Part of this risk is also due to applications that run on these devices. The number of mobile device applications is expanding at an ever-increasing rate. The types of functionality that they provide include: Read more…

Categories: Uncategorized Tags:

Application Layer Firewalls

There has been a lot of discussion about application-layer firewalls over the last few years, and the popularity of these devices has grown considerably. Wikipedia defines application firewalls as “…a computer networking firewall operating at the application layer of a protocol stack. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to monitor one or more specific applications or services (such as a web or database service), unlike a stateful network firewall which can provide some access controls for nearly any kind of network traffic.”

There is a very obvious need for application-layer firewalls. The main two targets of today’s cyberattacks are browsers and Web applications. Although application-layer firewalls cannot do much to stave off attacks against browsers, they can do much to protect against attacks against Web applications. Read more…

Categories: Uncategorized Tags:

Myths about Password Strength

We all know that passwords are not all that good of a security control measure, yet in systems and networks worldwide they lamentably remain the most commonly used form of authentication. In previous blog entries I’ve summarized and discussed some of the previous studies on passwords that Dr. Robert Proctor of Purdue University, Dr. Kim Vu of California State University-Long Beach and I have done over the years. Some of our findings were that longer passwords were under a number of conditions no more difficult to crack than were shorter ones, something that attests to the power of today’s password cracking tools, and that more difficult-to-create passwords were not significantly more difficult- to-crack, either, although they were more difficult to remember.

What these results have clearly showed is that a lot of myths about password security exist in the world of information security, and unfortunately these myths have been the basis of password policy provisions that are downright specious. Over the years I have taught numerous operating system security courses. When I have covered recommended password policy settings, I have not infrequently been challenged by those who think that requiring passwords to be changed every 90 days or allowing passwords less than 10 characters long is inadequate for security’s sake. Yet the results of empirical research clearly show that the individuals who have objected to these settings are off base. Read more…

Categories: Uncategorized Tags:

Archive Everything Forever, Part 2

In part one of this blog, we explored how clueless regulators levied an almost ridiculous standard of control on securities firms over 15 years ago in an effort to get ahead of the curve on the rapidly growing phenomenon of Internet communication.  At the time, they told securities firms to “archive everything forever” which of course at the time no one had any idea how to do.  In part one of this blog, we discussed how regulators had been essentially behind the curve on monitoring of electronic communications and how this has led to what could be perceived as an overcorrection by regulators to try to get a handle on communications by people involved in the securities industry.

No one really disputes that there is a legitimate government role in monitoring securities markets for inappropriate activity that could indicate an illegal breach of insider trading and other arcane securities laws.  Problem is, with the multitude of communications channels now available to every employee and every relative of every employee of every securities firm, firms and regulators face a daunting task in monitoring of communications.  When I started my employ at a Wall Street firm, one of the things I had to do was register all of the open securities accounts in my name.  Six weeks later, I was called into the office of one of the compliance officers of the firm and asked to explain why I had omitted a particular account.   Surprised by the existence of this account, I explained that apparently it was an account created by an overzealous commodities account rep hoping that I would become an active commodities trader.  The balance in the account was $.62 in a gold fund.  Despite the small amount of the account balance, it was a dead serious meeting with the compliance officer.  Basically, he had grounds to fire me for misrepresenting my list of registered security accounts.  Only when I offered a lame excuse that I did not know the account had been opened up on my behalf and that there was no activity in the account whatsoever other than the opening balance, was I let off the hook with a warning.  At that firm, as is true with most securities firms, one may only have an account which resides at the firm and which is subject to the intense oversight of firm compliance officers who regularly check for activity in sensitive securities. For example, say I decide to buy 100 shares of Cisco.  For an employee at the firm, a few days might elapse and then a call might come from the compliance department saying “you know that trade in Cisco last week?  Well, that trade never happened.”  This would be a sign that there was likely some transaction involving Cisco being managed by the firm for which any activity by a firm employee in Cisco could be viewed as suspect.  No one grateful for their paycheck at a securities firm really argues about this kind of enforcement. Read more…

Categories: Uncategorized Tags:

Mentoring in Information Security

Mentoring is a potentially magic word in the workplace. Experienced professionals “take into their care” more junior employees and teach them skills that they otherwise might never have learned. “Learn from the experts,” so they say, and no better example of this than on-the-job mentoring exists. A dedicated and experienced mentor can make a huge difference to an organization—mentors in effect bring the next generation of employees to the next level—the point to which those have been mentored can deal with situations and issues that it otherwise could not have dealt. Mentoring also can drastically reduce training costs.

I know of some senior information security professional who invest the time and effort to mentor those who work for them. I fear, however, that these individuals are very much the exception to the rule. In contrast to, say, ten years ago, the nature of jobs today has changed drastically, and with these changes have come significant obstacles to mentoring. Some of these obstacles include:

• Busyness. Both potential mentors and potential to Read more…

Categories: Uncategorized Tags:

The Importance of Situational Awareness

Mica Endsley introduced the notion of situational awareness in dynamic systems in 1995. An oversimplified summary of what he wrote is that systems produce information that can help people become more aware of what is going on around them.

The longer I have been in the information security arena, the more I realize just how important situational awareness is. But situational awareness is far greater than the result of interacting with systems. We are bombarded with information from a myriad of sources every day. It is truly a rare individual who is able to filter out irrelevant information and tune in to relevant information. But even people who possess amazing filtering capabilities may miss information that may be extremely relevant to them and their job, and they thus may not be as situationally aware as they could and should be. Read more…

Categories: Uncategorized Tags:

The Importance of Change Management

When we think of strategic security measures, we often think of policy, standards, procedures, firewalls, intrusion detection and intrusion prevention systems, security information and event management systems, network access control, VPNs, identity management systems, personal firewalls, anti-virus software, and the like. Strangely, we too often overlook change management and its value in risk mitigation. Wikipedia defines change management as “the process during which the changes of a system are implemented in a controlled manner by following a pre-defined framework/model with, to some extent, reasonable modifications.” Change management can range anywhere from an informal process involving little more than advance notification of the intention to make a change (something that may be adequate for small groups and organizations) to a formal process that requires change requests to be written and submitted to a change control board that reviews and ultimately approves or disapproves them. Read more…

Categories: Uncategorized Tags:

Expectation of Privacy versus Client-Attorney Privilege

Those of us who are information security professionals have long been aware of the need of organizations to defeat users’ expectation of privacy before they use their organization’s computers and networks. Showing a warning banner displayed to users before they log on has become a standard practice. This banner generally reads as follows:
“This computer is the sole property of and must be used for official business only. Unauthorized use is forbidden and will be punished to the full extent of the law. All user actions will be monitored. Attempting to log on constitutes user consent to be monitored.”
However, a recent ruling is causing us to rethink the meaning and impact of warning banners intended to defeat the expectation of privacy. Two years ago, Marina Stengart, a former employee of the Loving Care Agency, filed a lawsuit against this company. While still an employee, she used Loving Care’s computers to send emails back and forth to her lawyer. This company searched for and found copies of these emails and argued that because Stengart had been warned that whatever she did while she used Loving Care’s computers was subject to monitoring and was thus not private meant that the company had the prerogative to retrieve, read and disclose the content of these messages. Stengart’s attorney argued that the content of these messages was protected by client-attorney privileges. Loving Care won the trial case, but the New Jersey Supreme Court reversed the ruling by a 7 – 0 margin. Loving Care was ordered to hand over all of Stengart’s messages in connection with her lawsuit and to not keep any of them. Read more…

Categories: Uncategorized Tags: