Friday, May 31, 2013

Media attention for HackMiami's conference

I had prior posting on the recent HackMiami conference here in the South Florida area.

They have gotten some media attention for their conference, in particular for one of their panel discussions on the growing "cryptocurrencies" such as Bitcoin and the like.  You can read the article HERE at Financial Tech Spotlight.  I had attended this panel, and thought it was pretty good.

Thursday, May 30, 2013

Disney's new MagicBands

In a recent article at All Things D, its noted that Disney is rolling out a new item called MagicBands, that serve as replacements for park tickets (including FastPass), even room keys.  They work wirelessly, so are similar to various RF access cards.  They can also be tied to credit cards, so guests can use their MagicBands to pay for stuff.

It's good that the article did bring up potential security risks, especially with the credit cards.  Ok, the bands don't have the credit card info on them, and the guest must use a PIN code to fully utilize that, so you do have 2-factor authentication for that part.  But you do have to wonder if the bands can be cloned.  This would allow someone to get into hotel rooms or use them to get into the parks, etc.

Here is a Disney Blog posting on it.

Review: The Phoenix Project

In a previous posting, I mentioned a new book out, The Phoenix Project.  Surprisingly, this is a novel that is "about IT, DevOps, and Helping your Business Win."  I had heard about it from a couple of IT Security colleagues, and had to check it out.

As I noted in my previous posting, the idea of process improvement in IT is one I've had an interest in over the years.  Up till now, nothing I had seen used had really done the job well.  This book is intended as an introduction to a new way of thinking about IT, called DevOps (a combination of Development and Operations, two groups in IT that are often at odds).

Wednesday, May 29, 2013

SANS' Securing the "Internet of Things" Summit

I recently learned that the SANS Institute, a leading IT Security training and certification organization, has a Call for Papers (CFP) for an upcoming one day workshop on securing the "Internet of Things".

The event is the Securing the Internet of Things Summit, being held on October 21st in San Fransisco.

The page has full info on the event, including the CFP.

The event sounds pretty good.  I'd love to be there, but most likely won't be able to.  I do hope that the papers presented will be available to others.  (say a conference report or the like).

Failure of Bouncer

In a previous posting, I mentioned Bouncer, Google's service within the Google Play Store that is supposed to keep out malware.  This is important, because the Play Store does not vet new apps to the level that Apple's App Store does, meaning that Google Play becomes one of the biggest vectors for malware to get into Android phones.

Well, per a recent article at ArsTechnica, someone figured out how to get around this.  I discovered this thru an article at TechRepublic.

Apparently how they did it was upload an app to Google that was ok, which was checked by Bouncer.  Then they uploaded a new version of that app, this one with the malware.  Now, I have to wonder why Bouncer didn't re-check it.  Wouldn't that malware app be different (different size, atleast a new update date), and thus Bouncer would re-examine it?  Seems its not setup that way.  Certainly a new upload, if its not a new size, should trigger a recheck.

Apparently some 9 million user got it.  Upsy.

Check out the article at TechRepublic.  I thought it had some pretty good points, similar to what I've been saying, on the need for better security stance when it comes to Android.  A big part is that we need to get more people to install AV software (ok, they are really anti-malware, but still) on their phones.  Stop giving people the impression these devices are totally secure, and take practical security in mind.

Sunday, May 26, 2013

DevOps- a preliminary look

This is a posting I've been working a bit on for sometime.  I decided to at least get this out, as its a topic I will probably be visiting more in the future.

As a long time IT professional, I've had to deal with process and procedures.  These are needed to manage the systems we are responsible for and deliver the services we should be.  Even as security professionals, we need to understand that our job is to secure these systems to help ensure that the delivery of them is not interrupted.  And often times this means doing so in a consistent matter, which happens when we follow procedures.

Review: Android Security

I recently picked up a new book on Android security.  Looks to be the only (so far) book on the topic, so they have kind of set the bar for subsequent works.  The book is Android Security: Attacks and Defenses by Anmol Misra and Abhishek Dubey (CRC Press, ISBN 978-1-4398-9659-4).  They have an accompanying website and blog, where there is also resources from the book.  (but there's not much traffic on the blog, hope this changes.)

Having read over it, I have to give it an overall grade of B+.  (or if you prefer, 4 out of 5 stars).

Thursday, May 23, 2013

Video game console hacking

Like most IT people, I like video games.  Over the years, I have used and played several video game consoles (still have them).  Nintendo, Super Nintendo, Sega Genesis, Playstation, etc.  Personally, I like using them over playing video games on PCs, because its easy to just launch the game and play.

Overtime, especially in recent years, these video game systems have gotten more and more powerful, rivaling and I think exceeding, the power of most PCs.  Suped up CPUs and graphics, harddrives, BluRay discs, etc.  Then the more recent systems from Nintendo, Sony, and Microsoft have gone on-line.

Monday, May 20, 2013

The importance of smartphone security awareness

I have posted prior on the issue of smartphone security.  And one of the biggest issues related to this is how many people who have smartphones are sadly not aware of the need to be secure.  I guess we could say there is a lack of security awareness when it comes to smartphones.  This issue is made more difficult by people making the claim that smartphones are "more secure" then PCs (whatever that means), and that somehow people don't need to be as security minded about their smartphones like they are with their PCs, especially if its a personal phone.

I'm sorry, but I find that an irresponsible attitude.

HackMiami 2013 Conference Report

This past weekend (May 17-19), the hacker group in my local area HackMiami had their first conference, HackMiami 2013 and I attended.  While not a member of the group, I have heard of them, and we've had them help out with some of our South Florida ISSA events.  This is not an underground group.  Most of the members actually work with/for many local IT security companies.

This was a hacker conference, which is a little different from a traditional IT Security conference.  Some of the stuff done is a bit out there, there is expectation that the audience is more technical, and some sessions were more hands on then in most Security conferences.

Friday, May 17, 2013

Raspberry Pi as PenTest tool

I've previously mentioned the Rasberry Pi, the cool credit-card sized Linux computer that is very inexpensive, and can be easily attached to a monitor and keyboard.

Well, I came across this interesting posting at InfoSec Institute resources on using the Rasberry Pi as a Pentest system.

It looks pretty interesting.  There are already setup distributions you can download to a SD card that has all the Linux tools you'd need already setup.  The author shows 3 different distributions available.

Cybercriminals steal $45 million from ATMs: UPDATE 2

Another update posting on the recent cybercrime of $45 million stolen from 2 banks in the Middle East via pre-paid debt cards.

My first posting is HERE, the first update is HERE.

Another article I stumbled upon is HERE.

Per this article, the individual killed in the Dominican Republic (named in this one) is said to be the "mastermind" of the whole thing, not just of the US Cell.  Its claimed it was due to a dispute among rival gangs over the dispursement of the haul.  Still not sure if this means he's the overall mastermind, but does seem to indicate that he was killed by others within the overall scheme.

The article also reports that German authorities have arrested two Dutch nationals in connection with this crime.  It sounds like they were part of the large group hitting the ATM systems, so who knows were this will lead.

Again, as I see more will pass it allow.  You can help by adding comments about this matter.

Thursday, May 16, 2013

HackMiami 2013 Conference this weekend

This weekend (May 17-19), local hacker group HackMiami is having their first conference, Hack Miami 2013.   While not a member of the group, I have heard of them, and we've had them help out with some of our South Florida ISSA events.

Overall, the conference looks pretty good.  They've organized 3 tracks, "old headz", "new headz", and "moral headz", so there should be a good mix of sessions to attend.

Seeing as how Hacker Halted USA isn't coming back to Miami this year (they're going to Atlanta this year), this may be the only major IT Security conference in the South Florida area.

Next week I'll post my comments on the event.

Wednesday, May 15, 2013

Congress votes on several cybersecurity bills

I try to stay away from politics in this blog, but a recent item I saw in another blog I have to pass along.

The original item is HERE.

This week, the House is voting on several cybersecurity bills.

Most important is the controversial CISPA (Cyber Intelligence Sharing and Protection Act).  On the surface, it looks pretty good, as it sets down standards for government and industry to share data on cyber threats.  But there are issues with privacy data being shared by industry (especially social networks) with the government.

Tuesday, May 14, 2013

3LM- what could have been

This posting may be a little different from what you might expect on a security blog.  One subject I've loved is history.  This means that often times I am interested in the history or development of technology or ideas in other areas I am involved in.  So this posting will take a look at the history and what could have been with one company.

3LM, 3 Laws Mobility, is (or I guess now was) a small firm involved in the overall Android MDM marketplace.  The name, an alusion to Asimov's "Three Laws of Robots", stood for the guiding principles of the company:

  • Protect your user. A mobile device may not harm its user or, through inaction, allow its user to come to harm though malicious code or content.
  • Protect yourself. A mobile device must protect itself and the integrity of its data and secured communications.
  • Obey. A mobile device must let the user use the device freely, as long as such usage does not conflict with the First or Second Law.

  • The company's product was not something that was sold to the end users or to enterprises.  It made changes to the Android OS, and so would be something the device manufactorers would encorporate into their builds of Android on their devices.  This would extend and enhance Android, making it easier to be managed by other products.

    Frankly, stuff that probably should have been in Android in the first place.

    Monday, May 13, 2013

    Cybercriminals steal $45 million from ATMs: UPDATE 1

    The matter of the $45 million stolen worldwide by a cybercriminal ring is something I plan to keep an eye on.   See my previous posting on it.

    In a search of news items, most seem a repeat of what we've already seen.  A new article I saw in Forbes HERE does delve into how they got away with it.

    Per the author, there are 4 things the thieves exploited:

    1. Using pre-paid debit cards
    2. Using cards with magnetic strips instead of chips
    3. Breached oversees card processors
    4. Large number of confederates utilizing cards worldwide

    Each of these had their own issues.  The thing with using pre-paid debt cards is that unlike credit cards, there is no usage of buying habits to discover issues.  As I had both my main credit card numbers stolen recently, I know that it was by their unusual buying habits that this was caught.  (one card they started to use down in Brazil, the other was to make purchases across the state from me).

    While some credit cards can have smart chips in them, they are sadly not universal in the US.  Magnetic cards are easily cloned, not an issue with smart cards.

    The usage of oversees processors shows the weakness of their process.

    And usage of all their confederates spread the risk to a large number.  There is the possibility that the use of them could be tracked back to the ringleaders.  This remains to be seen.

    I still wonder why only cards issues by 2 banks in the Middle East were targeted.  There must be a reason.  And who killed the leader of the US gang in the Dominican Republic.  Hopefully as this case progresses, we'll learn more.

    Mini Android PC

    In a previous entry, I pointed out some of the interesting mini-computers that are now out there.  The most well known of these are the Rasberry Pi and the BeagleBoard.  These mainly run Linux, tho there is work being done to put other OSs on them.

    I think from a research perspective, these give some interesting avenues of investigation for security matters.  Especially at such low cost, one could have several devices to test against.  Instead of having a rack of full blown PCs, one could have several such mini PCs.

    For those wanting to research Android security, things seem kind of slim.  I don't like the idea of using my own smartphone for such work, tho I could see using a separate pre-paid Android phone for this.  But that could still get costly.

    Sunday, May 12, 2013

    Cybercriminals steal $45 million from ATMs

    I hope that most IT security people are taking a look at the recent cybercrime that broke in the last couple of weeks, of an organized group of criminals who stole $45 million from ATMs thru the use of pre-paid debit cards.  This happened in February of this year, and only came to light recently.

    From the information so far, they did this by exploiting 2 weaknesses:
    • Broke into bank computers and stole prepaid debt cards, erasing their withdrawal limits.
    • Got the data into the hands of others who cloned the cards and hit numerous ATMs.
    And apparently, doing this two things in coordination is what made this successful for this group.  Better oversight could have stopped the first.  And the use of smart chips instead of magnetic strips in cards could have dealt with the second, but this is rare in US credit/debit cards.

    We are seeing the rise of such organized cybercrime.  And frankly, the numbers in just this case are staggering:  thieves were in 27 countries, and they made about 36,000 withdrawals over 10 hours to accumulate $45 million.  That works out to about a withdrawal of $1,111 every 10 seconds.

    All the cards stolen were MasterCard prepaid debit cards, and only 2 banks were targeted.   In December, it was cards issues by the National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates.  Then in February it was cards issued by the Bank of Muscat in Oman.  I have to wonder if there was a reason those banks were the target.

    What I haven't seen is the size of this overall group, which may not be known at this point.  A small group has been arrested in the US (apparently the "US cell"), and another individual who was apparently the leader of that cell was killed in the Dominican Republic (by who is not clear).   What about the overall ringleaders?  Maybe they killed the guy US ringleader to prevent any links back to them.  (yeah, I guess I read too many thrillers...)

    Am sure we will get more info on this case as it moves along.  I wonder how procedures may be changed or improved in light of this.

    Here are some of the articles on this matter:

    Global Post on the heist.   Business Insider on how it was done.   NPR on it.
    Dark Reading on the 8 caught in NY

    Saturday, May 11, 2013

    Android security books, finally

    Ok, I will admit to being a bibliophile.  I love books.  When it comes to systems support, I like having the official manual and materials, alongside the best "unofficial" works.  These, I find, usually help me find the answers I need.  On-line resources are great, but it can be a bear to have to search thru so much to find an answer.

    In the area of Android, there has been several books on developing apps for Android, but nothing (so far) on Android security.

    Well, what seems to be the first of what looks like several works, we finally have an Android security book. I haven't gotten a copy yet, but hope to.

    Wednesday, May 8, 2013

    Smartphones approved by DOD

    Some recent news items indicate what smartphones the DOD has approved for use.  (read THIS and THIS)

    For those not aware, the DOD bases this decision on their Commercial Mobile Device Implementation Plan.

    From the news items, they have approved:
    • iPhone iOS 6
    • Blackberry 10
    • Samsung Galaxy devices with Samsung's Knox

    That's it.

    No other Android devices (which is interesting, as Motorola Solutions came out with a highly secure Android phone recently).  No Windows Phones.  Will they approve more in the future?  Not clear.

    For those not aware, Knox is a security add-on to Android created by Samsung.  You can read more about it HERE.

    I need to look further into Knox.

    Tuesday, May 7, 2013

    Google Glass security

    I think for any IT person, you have probably heard about Google Glass, Google's latest hi-tech gadget.

    Not yet on the market, its now out in the hands of several, for lack of a better term, beta testers.  (heck, considering who I worked for, I had hoped that group I was in might be able to test it out as well, and I might be able to try it out.  Won't happen now.) 

    I've seen a lot of articles on Glass, how useful it will (or won't) be.  I've even seen stuff on Glass 'etiquette'.  (hey, you're basically strapping a video camera to your face!)

    What I haven't seen much about is security.  Why should I not be surprised?

    Tablets are doomed. Whine, whine, whine.

    Ok, this posting is a little off the topic of security, but just wanted to comment on it.

    First, we get THIS announcement by Blackberry CEO that tablets are doomed, they have no future.  I guess since RIM/Blackberry failed with there take on a tablet, that makes them an expert on this.

    Then we get THIS from Microsoft Chair Bill Gates that iPad users REALLY want is a MS Surface, cause you need a keyboard and office suite to do 'real' stuff.  I guess since sales of MS Surface are super great, he's right.

    Frankly, I think both are wrong.

    There is no way of knowing the future of tablets.  You can't predict these things.  I'm still waiting for my jetpack I was promised for the 21st Century.  And my flying car.

    And Gates is off.  Many people who use tables don't care about the lack of a keyboard or an office suite (which here means MS Office, forgetting that tablets can easily access suites like Google Apps, etc.).  And if you need a keyboard with a tablet, that can be done via a bluetooth keyboard.  Motorola Mobility offers one that can used with their tablet and I'm sure others.  But most tablet users (myself included) would rather use a REAL PC with a REAL keyboard when they want to do work that requires extensive typing and such.

    Now back to security.

    Monday, May 6, 2013

    BYOD will become a requirement by 2017

    For those keeping an eye on the whole BYOD/MDM field, there is a new study from Gartner that says that by 2017, half the companies of the world will have a BYOD policy and will NOT provide such devices to their employees.

    HERE is a link to an article at CIO Magazine on that.  THIS article at CIO Magazine also covers it.  THIS article at ZDNet has even more info on the report.

    Also, per the report, 15 percent will never used BYOD, while 40 percent will offer a choice between corporate provided or employee provided devices.

    This, to me, means that dealing with BYOD and MDM becomes that much important in the years to come.

    As to the original report, I can't find a free copy of it on-line.  HERE is Gartner's press release on it, and link to the report, which must be paid for.

    Sunday, May 5, 2013

    ACLU sues carriers over updates for Android

    I came across this item from last month that made me go "say what?!?"

    ACLU sues carriers over Android updates.


    So why care about this from a security standpoint?  Well, delays in updates leave Android phone vulnerable to hackers.  It also leads to some taking matters into their own hands to update their phones themselves, which also makes their phones vulnerable.   Neither option is good.  Damned if you do, damned if you don't.

    As an Android user, I can understand this.  My phone is still at 4.1.2, when the latest is 4.2.2.

    And the process of updating Android phones is complex.  More so then some people think.  It's not like when MS has an update to Windows.   Google releases a new version (after its been released for Nexus phones) to manufacturers, who must modify and test it on their phones, then turn it over to the carriers for their testing and verifying before it gets released to user's phones.  The whole process delays things longer then most people would like.  And there is no guarantees that a new, official, version will be provided for your particular phone.

    It remains to be seen if this improves things or not.

    We'll have to keep an eye on this.

    Friday, May 3, 2013

    Smartphone as bank account

    In 2012 I made a presentation at our local security conference (South Florida ISSA Chapter) on smartphone security.  Part of what I presented was the trends I was seeing at the time, based on reports.  Some most people are aware of:  smartphones overtaking "feature phones", smartphones overtaking laptop/PCs in sales, etc.

    Another trend I point out I think is not so well known, at least here in the "developed world".  That of smartphones becoming the first, maybe only computing device of people in the "developing world", but of also becoming for them the equivalent of a credit card or bank account (checking account).

    Security of the Internet of Things

    Have you heard about the "Internet of Things"?

    I have, thanks to trying to keep up with the whole Maker/DYI area, especially with things like Arduino, Raspberry Pi, BeagleBoards, and the like.

    The whole idea, from a techie standpoint is pretty cool.  All these little devices able to communicate with each other and to other devices like computers and the like, usually wirelessly (WiFi or IR or Bluetooth).  Neat.

    But what about security?  Has anyone thought about that?

    Everyone gets excited by the possibilities, but sometimes forgets about that.  Even me.  The whole thing seems cool and exciting, and security was furthest from my mind.

    But it looks like others aren't ignoring that.  In my research into MDM vendors, I came across one vendor that has a broader focus then just mobile devices to include the "Internet of Things":  Mocana.  This is not an endorsement of them, but I find it interesting that they do have stuff covering the Internet of Things as well as mobile devices.  Am still looking over what they have, but others may also benefit by taking a look at their blog, their webinars, and reports in this area.

    There are several book at Amazon on the Internet of Things.  The only one I have is the one from O'Reilly/Make:

    Check it out. 

    Smartphone security

    Smartphone security is a topic I've had an interest in for several years.

    It doesn't help that for my entire IT Security career I've worked for a major cell phone company.  During that time, I've seen the emergence of smartphones.  I had one of the early Windows-based phones, which was nice (tho limited).  Later I moved to an Android phone, which was even better.  (so far I've gone thru 3 Android phones)

    And I've watching how things have changed.  Early on at the company, we saw our executives make use of smartphones not just as a companion item (like the early PDAs), but almost as a replacement for their desktop/laptop computer.

    Wednesday, May 1, 2013

    Introduction to a new blog

    Welcome to a new blog on IT Security.

    Yawn, I bet some will say.

    Well, ok.

    Who am I and why should I write this?

    Well, I am a Senior IT Security Professional (sadly between jobs).  Maybe I'm not at the top tier of the "movers and shakers" in the Security world.  I'm not a hacker.  I'm more of a researcher, an explainer of things.

    I read stuff.  I discover stuff that some overlook.  Maybe I don't have something new and original, but maybe I bring up stuff you haven't heard of before.

    A big focus of this blog will be mobile device security, as it's an area that has interested me for the last couple of years (working for a major mobile device manufacturer can do that).

    I hope you'll join me.

    Michael R. Brown