Archive

Archive for June, 2010

iPad Security: Part 2

Like the iPhone, the iPad runs Apple’s iOS operating system, a slightly scaled down version of Darwin OS, the operating system for the Macintosh. Darwin OS is a flavor of Berkeley Standard Distribution (BSD) Unix. Much of the iPad’s security is dependent on the security features of Apple’s iOS operating system. According to Apple (see images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf ), the iPad has quite a few security-related policies and settings which include: Read more…

Categories: Uncategorized Tags:

iPad Security: Part 1

Apple has been making the headlines lately, with most of the uproar being related to something about security. Not too long ago a group of perpetrators accessed an AT&T server in which names of iPad users, their email addresses, and authentication information (“ICC-IDs*”) needed for access to AT&T’s network were stored and stole this information to learn the identities of approximately 114,000 iPad 3G subscribers. The perpetrators ran a PHP script that issued specially-crafted HTTP requests with “User agent” headers specifying the type of browser and other information to the server and one ICC-CD after another. The perpetrators guessed ICC-IDs ranges by viewing Web postings in which iPad users revealed their ICC-IDs and also by asking other iPad users what their ICC-IDs were. The server responded to each request by sending back email addresses, one for each ICC-CD, enabling the perpetrators to determine the identities of iPad subscribers from the information in the addresses. The identities of iPad subscribers could be from a who’s who list–some were U.S. Congressmen, others were from Morgan Stanley, HBO, Google, Microsoft, and Goldman Sachs, one was a US Air Force general, and one was even White House Chief of Staff Rahm Emanuel. Read more…

Categories: Uncategorized Tags:

A Landmark US Supreme Court Ruling

We’ve been awaiting the U.S. Supreme Court’s ruling on the appeal in the Quon versus the Ontario, California case. You may remember that several years ago Sgt. Jeff Quon sued the city of Ontario, its police department and the police chief on the grounds that the police department read messages that he had both sent and received using his police department-issued pager. Quon claimed that he had an expectation of privacy based on the police department’s having an unwritten, implicit policy that employees’ messages would not be looked at if employees paid for any usage beyond a threshold level. According to Quon, the police department violated this expectation when his and others’ messages were read in connection with an audit conducted to ascertain whether a limit of 25,000 characters per month per pager was sufficient for conducting police department business. In a unanimous decision, the Supreme Court ruled that Quon could not sue the defendants because conducting an audit is a reasonable thing to do, regardless of whether Quon had an expectation of privacy. Read more…

Categories: Uncategorized Tags:

Information Security Breach Insurance: Is it Working?

A recent SANS NewsBite item covered how Colorado Casualty Insurance Co has denied a data security breach insurance claim for USD 3.3 million. The claim was based on a 2008 incident in which backup tapes with data pertaining to approximately 1.7 million medical patients from University of Utah hospitals were stolen in route to a storage site operated by Perpetual Storage. A Perpetual Storage employee had left the tapes in a car and later reported that they were missing. The storage service provider had bought an insurance policy to insure against costs from data security breaches. Read more…

Categories: Uncategorized Tags:

Tunnel Vision in Business Continuity and Disaster Recovery

Business continuity and disaster recovery are two of the most challenging IT areas. I’ve had some experience with business continuity planning, and from what I have seen of it, it is much more difficult than a closely-related area, incident response, with which I have had considerable experience. What makes business continuity and disaster recovery so much more difficult is the sheer number of steps and details involved and the precision with which actions must be performed. I remember, for example, when a friend of mine who was leading a business continuity operation after an outage had occurred got in serious trouble because the data he restored to a system were not exactly the right set. In contrast, I’ve made numerous mistakes in the process of conducting incident response efforts, but have never experienced anywhere near the kind of consequences that he did.
Strangely, a kind of “tunnel vision” appears to have permeated both business continuity and disaster recovery planning. The problem is either inability or unwillingness to anticipate disruptive events that are far out of the ordinary. Examples of such events include the 9/11 terrorist attacks, Hurricane Katrina, and Hurricane Wilma. And although the recent BP oil still catastrophe has not affected IT, it, too, should remind us of how extreme incidents can be. Despite the fact that the probability of incidents such as these occurring is low, the fact that they could happen and have happened more than a few times in the recent past should be a cause for major concern. Read more…

Categories: Uncategorized Tags:

Factory-Infected Gadgets: What Next?

Decades ago Ken Thompson, the great information security pioneer, wrote a widely acclaimed paper, “Reflections on trust.” In this still much-read paper Thompson asserted that the computing community implicitly trusts those who develop software that is used, and raises the possibility that even mainstream programs and tools such as compilers could have built-in Trojan horse software that performs malicious functions without the awareness of anyone but the person who originally installed the Trojan. Read more…

Categories: Uncategorized Tags:

Innoculation in Security Training and Awareness

I spend a fairly large percentage of my time involved in information security training and awareness activity of one type or another. Sometimes I develop courses (e.g., I developed two new course last calendar year), sometimes I critique courses that others have developed, but most often I teach courses. And if you have read some of my previous blog entries, you’ll know I am a strong believer in security training and awareness because it generally yields a very favorable cost-to-benefit ratio. It also promises to change both attitudes and behaviors of users and managers of computing systems, regardless of whether the targets of training are everyday users, system and network administrators, software developers, quality assurance experts, or managers. Read more…

Categories: Uncategorized Tags:

Meliassa Hathaway on Cybersecurity in the Obama Administration: Is She on Track?

Earlier this week I read a very interesting Washington Post article, “The cybersecurity changes we need,” by Jack Goldsmith and Melissa Hathaway. Goldsmith and Hathaway in essence argue that the US has become extremely dependent upon computing, but computing technology is becoming increasingly complex, and thus also more vulnerability-riddled. They claim that the Obama Administration is aware of the gravity of cybersecurity risks that the US faces and their potentially catastrophic consequences. Goldsmith and Hathaway reminded readers that just over one year ago “President Obama declared our ‘digital infrastructure’ to be a ‘national security asset’ and pledged to make it ‘secure, trustworthy and resilient’.” However, the authors claim that the President is hesitant to put in place appropriate control measures, including national cybersecurity standards, because he fears that they might hinder short-term economic recovery. Goldsmith and Hathaway then went on to say: Read more…

Categories: Uncategorized Tags:

Google’s Legal Woes Mount

Google, a company that many (myself very much included) consider the worldwide technology leader, has been increasingly making the headlines, but the news has not always good. Google’s computer systems have been targeted for cyberattacks, particularly a series of these attacks by the Chinese over the last two years or so. Then Google went head-to-head with the Chinese government over whether Google must provide information about Chinese dissidents’ use of its search engine and other services to this government. Most recently Google is facing an increasing amount of trouble concerning charges that in collecting information for various Google services, this technology giant massively infringed upon the privacy of individuals and organizations, and may have even broken national privacy laws. Read more…

Categories: Uncategorized Tags: