Apple's TouchID on the iPhone 5S

Since the Apple iPhone 5S has come out, I've read a few articles on one new feature of the phone, the TouchID fingerprint recognition system.  This is not the first time that fingerprint systems have been used in either smartphones or in technology devices, but I think this is the first time to put it in a system of more mass consumer use.

I recall that several laptops over the years have included a fingerprint system.  My current laptop has one, tho I don't use it.  With smartphones, the Motorola Atrix 4G has it.  I used the phone for awhile, and it seemed to work ok, tho when a new version of Android was rolled out, it no longer worked.  That was part of the problem.  With the iPhone 5S, fingerprint recognition is actually built into iOS7, and is not an add-on service or like with the Atrix 4G or with various laptop.

But people will keep trying to added fingerprint systems to devices.  I even have a USB thumbdrive that has a fingerprint system in it.

Thing is, fingerprint recognition is tricky.  There are a lot of potential issues, especially as the finger can get dirty, which can affect the effectiveness of the scanner.

Why people want to use them is pretty clear.  When it comes to authentication, there are 3 factors that can be used:

• "what you know" (passwords, other information)
• "what you have" (hardware tokens)
• "what you are" (biometrics: fingerprint, handprint, iris scan)

A system that uses more then one factor is considered more secure.  Thus, your basic login system which uses username & password is actually using "what you know" twice.  Whereas if you had a "what you have" such as a hardware token or a one-time code sent to your phone is considered more secure.

Biometrics is more tricky.  But its getting better.  I recall at a college I was at tried a handscan system for the cafeteria, but due to issues dropped it for an ID card.  I think the face scanner ideas are interesting.

Another factor that people are really considered about is the privacy issues.  People are concerned that Apple will be able to pull their fingerprints from their phones.  Something to look into further.

This is a work in progress, and I plan to return to this topic.

Currently reading: Android Application Security Essentials

I wouldn't ordinarily do this, but I am currently reading Android Application Security Essentials by Pragati Ogal Rai and published by PackT Publishing.

(you can check out the book here:   http://bit.ly/15mnEus)

Seeing as how more and more people are moving the mobile devices (smartphone and tablets) not just as a secondary device but sometimes a primary device, security applications on these devices becomes more and more important.  This book aims to address it.  I am still reading it, but what I've read it pretty good.  Even if your focus is not application development, this will help your understanding of Android security.

Once complete, I hope to do a full review here.  In the meantime, check out the publishers other works.  I've seen several that have caught my eye.

The new version of Android- 4.4 Kit Kat

By now, I think most people know that the new version of Android is 4.4, and is called "Kit Kat".  Yes, the candy.  Most people thought the next version would be 5.0 and that it would be called "Key Lime Pie".  For those not aware, major versions of Android have been named after deserts, and in alphabetic order.  The next letter would be "K", and the rumors was it would be "Key Lime Pie".

Now that Google has released it, we now more about it.  It seems we don't have a lot of new flashy features, but more fundamental improvements.

October is National Cyber Security Month. What are you doing?

For those not aware, October is National Cyber Security Awareness Month (NCSAM).

"NCSAM is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident. October 2013 marks the 10th annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC)."

Now, locally, Nova Southeastern University's Graduate School of Computer and Information Sciences is hosting a series of events that tie in with NSCAM.  The brochure for the events is HERE.

The events are:

* October 3rd- FBI Presentation on National Cyber Security Awareness
* October 10th- Raising Savvy Cyber Kids
* October 17th- Healthcare Cyber Security Summit
* October 24th- Webinar: 12 Simple Cybersecurity Rules for your Small Business

Overall, I think this is a great lineup of sessions.  What is going on in your area for NCSAM??

Filling the void of Blackberry

By now, I think more people are aware of what's going on with RIM/Blackberry.  For most people, it was a matter of who they would be bought out by and when.

When RIM rolled out the Blackberry many years back, its focus was on the business user.  This user needed something relayable and SECURE.  But when the iPhone hit (and later Android), even tho these devices were less secure than Blackberry, they had features that Blackberry lacked and was hard to catch up: the array of applications.

Now, some tried to bring iPhones and Androids up to the level of Blackberry, to be able to compete for the business user.  For a period of time, Motorola Mobility had an array of products that made their phones more acceptable to the business user.  They had bought out 3LM (mentioned in a prior posting) to make Android more secure.  Their "webtop" on their high end phones was another addition aimed at the business user.  This was a stripped down Linux OS with added features that would turn the phone into a "laptop" if connected to an HDMI device and keyboard (say thru one of their docking stations) or plugged into one of their "lapdocks" which gave a netbook-sized screen and keyboard.  Sadly, when Google bought Motorola Mobility, all that would be dropped as Google wanted the new division to instead focus on the larger consumer market.

Thus, it was left to others to step into the field.  Samsung has already done so to a degree with their Knox security add-on to Android (again, see my prior posting).  Now they seem to have extended this with their SAFE (Samsung for Enterprise) effort.  As higher security for such devices is important, this bearing watching.

See article HERE.

New Security features of Android 4.3

The new version of Android rolled out, 4.3 Jelly Bean, also brings new security features.

By most count, it seems there are 7 security features rolled out.

1.  First off, we have Restricted Profiles.  This is a feature ONLY for tablets, as these are devices that are often shared among people, especially family members.  This allows for different profiles to be setup, some with restrictions, for, say, children.   More on this HERE.

2.  Next there is strengthening of encryption.  This includes tools to make sure neither hackers or other malicious entities can access the keys.  There are a new set of APIs for this, known as the Keychain/Keystore system API.

3.  There is a Nousid command that makes sure no program can obtain root privileges by setting the setuid bit.  The /system partition is also better secured as part of this.

4.  The new Find My Phone app (Android Device Manager) can be used to find/locate a lost or stolen device.  And the user can use this to remotely manage, lock, or wipe clean the device.  This I find interesting, as this is a service that many obtain thru MDM systems.  For a corporate user, this is usually part of such a corporate MDM system, run by their company admins.  For the individual user, one can obtain their own such service from third parties.  So I would think this would compete against that more so then the corporate MDM.  But could this be a competition for the corporate MDM systems?  Here is more info on this feature.

5.  Again, something that is not actually in Android, there is the Verify Apps feature that is part of Google Play.  I already blogged about this in a previous posting.  This should extend the protection of Bouncer, but we've already see Bouncer failing (see my previous postings).  So while Google seems to feel that such things (Bouncer and probably Verify Apps) negates the need for anti-malware apps on Android, I am a bit skeptical of this.

6.  They have activited within Android SELinux.  Now, many may not realize that Android is actually built on Linux.  SELinux is "Security Enhanced Linux", which adds mandatory access controls (MAC) to the Linux kernal.  For more on SELinux, go to the project page HERE.

7.  Finally, there is new WPA2 Wi-Fi security capabilities.  This isn't something the end user can use, but only programmers.  It allows for the use of the new WPA2 (Wi-Fi Protected Access 2) features of Wi-Fi.

These are pretty nice set of additions.  I would like to see how the security of Android 4.3 compares to the latest versions of iOS and Windows Phone.  Not seen a side-by-side comparison.  If any know of one, I'd like to know.

On a related note, I came across THIS article at the Official Google blog on securing your Android phone. They basically give 3 tips:  1) screen lock, 2) be secure on apps you install, but Bouncer & Verify Apps will protect you, and 3) used Find My Phone to be able to find and/or wipe your phone.


I used this article for the source of this posting: HERE  Another good resource I found is HERE.

Security in the "Internet of Things"

During the recent round of IT Security/Hacker conferences in Las Vegas (Defcon, Black Hat, BSides), a variety of interesting security issues have been revealed in various "non-computer" devices that are networks.

Here is a high level overview of several:

• Hacking of the "Smart Home":  HERE  and HERE   and HERE
• Hacking of the "Smart Car":   HERE   and longer commentary on the issue HERE
• Hacking of the "Smart Toilet":   HERE  and HERE
• Hacking of a baby monitor:   HERE  and HERE  (Updated)
• Hacking of networked lightbulbs:  HERE

Google's new "Verify Apps" service makes Android more secure

Along with the recent release of a new version of Android, 4.3, Google also rolled out a new service that promises to make Android more secure.

The Verify Apps service was originally rolled out as part of Android 4.2.  But now its been pulled out of Android itself and made part of the Google Play Store service, along side the already existing Bouncer service.  By doing so, all versions of Android can take advantage of this.

I learned about this thru THIS posting at Computerworld.

So, what DOES this new service do?  Its a universal app-scanning system.  It watches for new apps on your system, even those loaded directly from outside the Google Play Store ("sideloaded"), and instantly checks that app for malicious or potentially harmful code.

While I think this is great, I'm not sure I buy into the views of this writer of the blog posting that this somehow eliminates the need of anti-malware apps on Android.  While, yes, there is a bit of fear mongering on the part of the anti-malware field (true of a lot within the security field), the fact is we've seen an increase in Android malware.  Plus, one can get a large number of free anti-malware apps, so its not like you have to pay a lot of money to protect yourself.

On a practice point, we've seen failures with Bouncer.  Who's to say that similar issues won't been seen with Verify Apps?  Plus, like I think most security professionals, I prefer multi-level security measures.  It's a mistake to rely on one or a limited number of tools to protect our systems.  It would be like a company thinking that since they have firewalls, they need not worry about anti-virus or the like.

I do like the idea of "Android deconstruction" mentioned by the writer (further covered in THIS posting), with Google pulling out certain elements from Android itself, and making them available as separate apps, thus avoiding the issue of Android upgrading.  There are limits to this, as not everything can be an app, but maybe this will help make Android be a more core OS, that can be more easily upgraded.

New version of Android out

I don't think I will surprise anyone by saying that there is a new version of Android out there:  4.3.

And so, we will have everyone all worked up about it, and wondering when they will get this on their phones.  (which I can understand.  Both my phone and tablet are still at 4.1.2).

I guess its a good idea to perhaps review all this.

UPDATE II: Android "Master Key" Security issue

Well, a further update on the Android "Master Key" issue.  See my first posting HERE.

Per THIS article at the BBC, Symantec has found someone using it in the wild.  Here is their ITEM on it, with all the technical details.

Kind of funny when the attitude of some was that there wasn't much chance of it being used.

Right.

Commentary: Rumination on GUIs

GUI- Graphic User Interface.

Most people who have used computers for the last couple of decades are used to them.  To the point that most can't understand that we used to have to do everything from the command line (CLI- Command Line Interface).

I like graphical interfaces too.  For a lot of tasks, they make things easy. 

But, I'm a bit "old school".  When I first got into admining Unix systems, we had X Windows, but we still had to do things on the command line.  There were some admin tools, but they were just a layer on top of the command line.  They basically put together the commands you would have used.  You could still go around them.  It could be harder, especially for more tricky tasks or tasks you didn't do to often.  But you could do it.

Further, when a system booted up, you got a lot of text on the screen.  It should you that the system was coming up smoothly.  Or not.  There could be some low level problems that could be shown thru that data, and this helped you resolve that.

Then along came Windows NT.

Soon the bootup information was hidden.  No idea if there were problems.  (you had to hope a system would boot up, and if it didn't, you'd have little info as to why).

Also, all admining was thru graphic interfaces.  Again, this was nice, but you couldn't get around it if there was a problem that could only be solved by doing so.

I have a longtime admin friend who had a particular problem recently with a product that couldn't be solved thru the graphical interface.  And there was no way to get around it and just enter commands.  However, he was able to do so, basically be decompiling the interface.  This is something that your average admin would not be able to do.  But the GUI got in the way.  And the vendor was of little help.

Now, as we move into the "Post-PC" world of smartphones and tablets, I fear we are moving further away from a CLI to a solely GUI world.  For the average user that's fine.  For "power users", this can be an annoyance.  For system administrators (and I include security admins in this), this can be a hindrance if we can't get "under the hood" of what is going on and solve problems. 

I worry about the lack of good deep-level tools for our Post-PC world.

Do any share this concern?

Android Malware jumps 6 fold in last few months

Well, I don't think this is a surprise to anyone.

Per a report by Alcatel-Lucent's Kindsight Security Labs (you can read it HERE.), Android malware has increased 6 fold to over 120,000.  The bulk of these are Trojans of various sorts (the report gives you a breakout of the top ones).

Yesh.

And, sadly, this also shows the weakness of application signing to weed out the malware.  We've already seen issues with Google's Bouncer keeping out the bad stuff, as well as what BlueBox recently found.  (see my prior posts on both of these matters).

Related, they also show an increase in infected home networks.  Again, not a big surprise if you think about it.  Most people who setup home networks have little or no IT (much less IT Security) background.

For a good overview article, read THIS from Ziff-Davis.

Again, what I see here could be addressed by a couple of things.

1. Obviously Bouncer needs to be improved.  BUT people can't rely upon it solely.
2. People need to be encouraged to install anti-malware apps on their smartphones.  Ideally, just as with most PC that come preinstalled with a commercial AV program (usually with a set period of free use), we need to start seeing smartphones come pre-installed with SOME kind of anti-malware app.  AND those people writing and putting out books/magazines on smartphones need to include security apps as part of their recommended installs people should have on their smartphones.

Another "micro-PC"

Just learned about this compact, and inexpensive PC: the Utilite.

At this point its just announced, but the company has a prior product line called the "Trim-Slice", so they do have a track record.

For about a $100, you get a small (very small) case with a powerful CPU, 4G Ram, 128G storage, and plenty of connections (USB, Gigabit ethernet, etc).  Can run Linux or Android.

So now yet another power small computer that could be used for some interesting activities.  A possible competition for the Raspberry Pi or Beaglebone.  (tho I don't think so, they are focused on different markets).

UPDATE: Android "Master Key" Security issue

Some updates on the Android "Master Key" issue brought up by Bluebox Security.

Per THIS article at TechCrunch, Google has patched the issue.

HOWEVER, before anyone starts to think this is over, keep in mind this means that Google has created a patch and given it to their partners.  THEY then need to test this patch with their released versions of Android for their devices (and realize that this issue goes back to earlier versions of Android which most manufacturers are no longer patching).  And THEN they will release the patch to the carriers so they can test it before its released.  This isn't like Windows Update.

As noted, most of the manufacturers are only maintaining the newer versions of Android they've released (usually just Jelly Bean), so who knows what this means for those stuck at prior versions.

Also, Bluebox has created a scanner that will tell you if you Android device is vulnerable.  I thought THIS article was a pretty good response to that news.

Mission Critical's Information Security Technology Showcase South Florida- Sept 19th

One of the local South Florida IT security resellers, Mission Critical Systems hosts several Technology Showcases each year.  These showcases bring together several IT security vendors.  Yes, there is the standard sales pitches from them in the Exhibit hall, but what is great is the series of presentations from each of the vendors that avoids being just a sales pitch.  This puts the event on a different level, in my opinion.

Another ones of these is coming up in the South Florida area on September 19, 2013.  Registration for the event is already open at their website HERE.   This will be held at the Seminole Hard Rock Casino and Hotel in Davie, Florida.

Disclaimer: I am NOT connected in any way with Mission Critical.  I don't work for them, I don't do business with them.  I do know several of the people who work there, that's it.  So I don't gain anything from promoting this event.

Motorola Mobility Smartphone Security issue: "Motorola is listening"

I recently learned of an interesting article:  "Motorola is listening".  Certainly in this times of heightened attitudes about data privacy, I think its important that people be aware of these things.

In a nutshell, the author discovered that his Motorola smartphone (a Droid X2) was sending a LOT of information to Motorola, despite not having Motoblur.

Now, a word about Motoblur.  Motorola Mobility rolled out this program as an enhanced UI for their earlier Android phones.  You initially couldn't use your phone without signing up with the Motoblur service.  You were encouraged to enter all your username and passwords for the various services you used (email accounts, twitter, facebook, etc), and it would give you alerts.  What I think most people didn't know was that this information was actually stored on Motorola's servers.  It's was kind of a cloud service without you realizing it.  I think this was done probably as you moved from phone to phone, you could just log back into your Motoblur account on your new phone and have all your settings there. 

But people hated Motoblur, and later versions were less intrusive.  AFAIK, in their most recent phones (the newest RAZR line), Motoblur is gone.  But they still use Motoblur for some things.  (When I was "dogfooding" new versions of Android on a RAZR M, the updates were sent to my phone via Motoblur).  I had to deal with Motoblur on my original Atrix 4G.  But I don't recall dealing with it on my Droid Bionic, and certainly didn't have it on my RAZR M.

The author's phone, AFAIK, doesn't have Motoblur, BUT it is interesting (and a bit scary) that Motorola Mobility still seems to be gathering information from his phone.  He has asked people with different models of Motorola phones to test them (he provides the tool he used) and report back on their results.  I recommend people take a look at this article for updates.  He has already put up several based on feedback.  Will be interesting to see where this goes.

And what about other companies?  Are Apple, Samsung, HTC, etc doing something similar?

More on TOR

I recently posted on the Onion Pi, using a Raspberry Pi as a TOR (The Onion Router).

As noted, for those wanted to learn more about TOR, check out their site HERE.

If you are one of those people that think only "naughty people" will want to use this device, you should check out their site.

Or better yet, watch this recent video from reason.tv which talks about it and the reasons why some would want privacy on the Internet:

New Android Security hole

So am not the first to bring this to others attention.  I've seen several articles on it over the last week on the Android "Master Key" vulnerability.

Basically, researchers at Bluebox Security have found this security hole that has been present in all version of Android since v1.6.  The firm informed Google about this in February.  The Samsung Galaxy S4 supposedly has been patched for it.  No word on any other Android device.

More information on it will be forthcoming at the Black Hat Security Conference.  But for right now, you can check out their blog posting HERE on it.

Now, a basic thing about this issue is that it is exploited by malicious apps.  And malicious apps, despite tools like Bouncer in the Google Play Store, can still be put up there.  Patching Android is always a tough thing, because the process has to include both the manufactors and the carriers.  According to a recent item on CIO, Google has already updated Play Store to block apps that take advantage of the issue.  But I hope people see that as only a stop gap to getting the Android OS itself patch.

For those interested, here are the articles I've see so far on this:

Bluebox Blog
Techcrunch
Android Central
CIO

SL Powers IT Security Lunch & Learn event

Tying in with my recent posting on getting involved with local security events, today I attending a "lunch and learn" event organized by one of our local IT services companies, SL Powers.   They apparently do these events in our local area about once a month, in different locations.  This one had two presentations, both were pretty good.

First up, we had Silka Gonzalez, President & CEO of Enterprise Risk Management, a local company focused on helping their clients with risk management and assessments.  She gave a good overview of some of the various regulatory compliance standards out there that many of us have to deal with:  GLBA, FACTA, SoX, HIPAA/HITECH, FERPA, FISMA, and PCI-DSS.  What I particularly liked was how she pointed out the similarities among many of these, and what are the basic underlining concepts that are common in all of them.

The second talk was by Tom Leffingwell of Juniper Networks.  Now, I have known Juniper as a competitor to Cisco in terms of networking equipment.  What I wasn't aware of was their work in the area of network security.  So it was good to learn more about what they do in this area.  As with these kinds of presentations, you run the risk of being more a sales pitch then a technical overview, and I think he did a good job of staying more technical then sales.

I will keep my eye out for further sessions like these.  SL Powers also has a series of sessions called "Tech on Tap", which also sounds interesting.

I found out about this event via Eventbrite.  If you aren't familiar with this site, check it out.  Great way to find out about events in your area, both free and fee.  As IT people, we need to keep up our skills, so attending these events have multiple benefits.

Getting involved locally- joining, learning, networking

So its been too long since I've posted.  Something in the back of my mind is my observations of my collegues in the IT and IT Security realm.  What has long disappointed me was how many never bothered to keep learning and being involved in the larger "community".  Other then taking some training courses, many didn't bother to keep up with what is going on in the industry- didn't read journals (either print or on-line), didn't get engaged with local groups or events or the like.

For me, I joined USENIX and SAGE when I got involved as an IT admin.  When I got involved in IT Security, I joined ISSA and got involved in the South Florida ISSA chapter.  I was briefly involved with ISACA (and thought about getting back involved).  I know about other groups (we have a chapter of ISC(2) getting formed) and have looked at others to see if they were worth joining.

I tried to get involved with local events tied with those groups (my chapter runs a security conference every 2 years, and has an annual "hack the flag" event), as well as others.  Last year in December we had the ITPalooza event, which will happen again this year.

So my advise to you is if you want to succeed in your IT career: GET INVOLVED.  Depending on what your interest or focus is, see if there are groups that are appropriate for that, and join them.  Especially get involved with local chapters of these groups.  Maybe think about becoming an officer.  If you are the type, consider making a presentation, even its at a local event.

So, if you've had experience getting involved, comment about what you've done and what you've gotten out of it.

NSA, Prism, Privacy and all the rest

Well, its been too long since I posted.  I wanted to post something about the recent revelation about NSA spying on American citizens, the government's PRISM program, Edward Snowden revealing information and all the rest.

Frankly, I found it hard to do so.  I prefer to stay apolitical with this blog, and so much of what is coming out is being pickedup by different people and pushed in different ways.  In some ways, its like the whole issues are a mirror to see how other people think about privacy and the like.  Its a bit scary.

Bruce Schneier on his blog has frankly been doing a better job that I can.  And I largely agree with much that he is sharing.

The Electronic Frontier Foundation did a report on "Who Has Your Back", showing companys who are (or are not) protecting your information.  After this, I wonder what this report will show in the next edition?

Upcoming South Florida Security Event: State Sponsored Hacking

For those IT Security professionals in the South Florida area, there is an upcoming security event they should know about.

Hosted at Nova Southeastern University on July 23rd, its on State Sponsored Hacking.  Its organized by SherlockTech Staffing.

Full info and free registration at Eventbrite:  http://nsu-securityevent-es2.eventbrite.com

Signup today!!!

"A Great Course" on Cybersecurity

Not sure if others are aware of the company The Great Courses, which sells college-level courses on CD & DVD.  I've gotten a few and enjoyed them.

In their most catalog, I saw a new course that would be interested to this audience.

"Thinking about Cybersecurity", a 18 lecture course by Professor of Law Paul Rosenzweig.  (Course #9523)

The lecture listing has a lot of topics regarding with cybersecurity.  Not sure the level of technical information, or if its more on the policy side.

Has anyone gotten this yet and can comment?

CIA Releases Analyst work on how he decrypted 3/4s of the Kryptos Sculpture

I would hope most security geeks are aware of the Kryptos Sculpture located at the CIA's Langley headquarters.  Artist Jim Sanborn unveiled this cryptographic sculpture in 1990.

It took until 1998 until someone decrypted 3 of the 4 panels.  Analyst David Stein did so, and he wrote a paper on it.  It was published in the CIA’s classified journal Studies in Intelligence.  Note that ONE panel is still unsolved.

Thanks to THIS ARTICLE at Wired.com, it seems that the National Security Archives has made this now unclassified work available.  You can read it HERE.

GeorgiaTech Researchers can hack your iPhone via charger

The use of small hardware devices (Arduino, Raspberry Pi, BeagleBone) to hack systems is one I've touched on before.  At the recent HackMiami Conference there was a very good presentation on this.  I think this is a vector that not too many security professionals are aware of, to their detriment.

HERE is a recent article on some researchers at the Georgia Tech who say they can infect an iPhone via a charger.  They will be showing how they did it at the upcoming Black Hat conference.

Apparently it's done with a BeagleBoard, which is a sizable device.  A BeagleBone would have been smaller, and easier to fit into a surge protector/power strip then a BeagleBoard.  But maybe they were looking for more proof of concept.

China & US start talks regarding cyber theft and espionage

Well this is interesting.

A very recent article published in an Australian paper (I can find no such article in any US paper, why is that?) says that the US and China are starting talks to "to set standards of behaviour for cyber security and commercial espionage".

Pretty interesting, considering that most people think that the various cyber attackes being seen by the US government are coming from China, and that such attacks are coming at the behest of the Chinese government.

This bears watching.

Android malware disguised as anti-malware software

Something I don't think a lot of security professions are aware of is the trend of users being tricked by fake anti-virus/anti-malware software that is really malware!  (apparently we now have a term for this: scareware)  People are so concerned about getting infected, that they install software they think will protect them, when, in fact, its infecting your system.

A recent presentation I was at said that the largest vector for Macintosh malware is via such fake anti-malware apps.  And, per another article, there is way more fake anti-malware on Windows then on Mac.  Big surprise.

And it shouldn't be a big surprise that the bad guys are doing the same on smartphones as well.

HERE is a great posting at Sophos' Naked Security blog on a deep examination of one such fake anti-malware on the Android platform.  Check it out.  A good read, with some great information.

Media attention for HackMiami's conference

I had prior posting on the recent HackMiami conference here in the South Florida area.

They have gotten some media attention for their conference, in particular for one of their panel discussions on the growing "cryptocurrencies" such as Bitcoin and the like.  You can read the article HERE at Financial Tech Spotlight.  I had attended this panel, and thought it was pretty good.

Disney's new MagicBands

In a recent article at All Things D, its noted that Disney is rolling out a new item called MagicBands, that serve as replacements for park tickets (including FastPass), even room keys.  They work wirelessly, so are similar to various RF access cards.  They can also be tied to credit cards, so guests can use their MagicBands to pay for stuff.

It's good that the article did bring up potential security risks, especially with the credit cards.  Ok, the bands don't have the credit card info on them, and the guest must use a PIN code to fully utilize that, so you do have 2-factor authentication for that part.  But you do have to wonder if the bands can be cloned.  This would allow someone to get into hotel rooms or use them to get into the parks, etc.

Here is a Disney Blog posting on it.

Review: The Phoenix Project

In a previous posting, I mentioned a new book out, The Phoenix Project.  Surprisingly, this is a novel that is "about IT, DevOps, and Helping your Business Win."  I had heard about it from a couple of IT Security colleagues, and had to check it out.

As I noted in my previous posting, the idea of process improvement in IT is one I've had an interest in over the years.  Up till now, nothing I had seen used had really done the job well.  This book is intended as an introduction to a new way of thinking about IT, called DevOps (a combination of Development and Operations, two groups in IT that are often at odds).

SANS' Securing the "Internet of Things" Summit

I recently learned that the SANS Institute, a leading IT Security training and certification organization, has a Call for Papers (CFP) for an upcoming one day workshop on securing the "Internet of Things".

The event is the Securing the Internet of Things Summit, being held on October 21st in San Fransisco.

The page has full info on the event, including the CFP.

The event sounds pretty good.  I'd love to be there, but most likely won't be able to.  I do hope that the papers presented will be available to others.  (say a conference report or the like).

Failure of Bouncer

In a previous posting, I mentioned Bouncer, Google's service within the Google Play Store that is supposed to keep out malware.  This is important, because the Play Store does not vet new apps to the level that Apple's App Store does, meaning that Google Play becomes one of the biggest vectors for malware to get into Android phones.

Well, per a recent article at ArsTechnica, someone figured out how to get around this.  I discovered this thru an article at TechRepublic.

Apparently how they did it was upload an app to Google that was ok, which was checked by Bouncer.  Then they uploaded a new version of that app, this one with the malware.  Now, I have to wonder why Bouncer didn't re-check it.  Wouldn't that malware app be different (different size, atleast a new update date), and thus Bouncer would re-examine it?  Seems its not setup that way.  Certainly a new upload, if its not a new size, should trigger a recheck.

Apparently some 9 million user got it.  Upsy.

Check out the article at TechRepublic.  I thought it had some pretty good points, similar to what I've been saying, on the need for better security stance when it comes to Android.  A big part is that we need to get more people to install AV software (ok, they are really anti-malware, but still) on their phones.  Stop giving people the impression these devices are totally secure, and take practical security in mind.

DevOps- a preliminary look

This is a posting I've been working a bit on for sometime.  I decided to at least get this out, as its a topic I will probably be visiting more in the future.

As a long time IT professional, I've had to deal with process and procedures.  These are needed to manage the systems we are responsible for and deliver the services we should be.  Even as security professionals, we need to understand that our job is to secure these systems to help ensure that the delivery of them is not interrupted.  And often times this means doing so in a consistent matter, which happens when we follow procedures.

Review: Android Security

I recently picked up a new book on Android security.  Looks to be the only (so far) book on the topic, so they have kind of set the bar for subsequent works.  The book is Android Security: Attacks and Defenses by Anmol Misra and Abhishek Dubey (CRC Press, ISBN 978-1-4398-9659-4).  They have an accompanying website and blog, www.androidinsecurity.com where there is also resources from the book.  (but there's not much traffic on the blog, hope this changes.)

Having read over it, I have to give it an overall grade of B+.  (or if you prefer, 4 out of 5 stars).

Video game console hacking

Like most IT people, I like video games.  Over the years, I have used and played several video game consoles (still have them).  Nintendo, Super Nintendo, Sega Genesis, Playstation, etc.  Personally, I like using them over playing video games on PCs, because its easy to just launch the game and play.

Overtime, especially in recent years, these video game systems have gotten more and more powerful, rivaling and I think exceeding, the power of most PCs.  Suped up CPUs and graphics, harddrives, BluRay discs, etc.  Then the more recent systems from Nintendo, Sony, and Microsoft have gone on-line.

The importance of smartphone security awareness

I have posted prior on the issue of smartphone security.  And one of the biggest issues related to this is how many people who have smartphones are sadly not aware of the need to be secure.  I guess we could say there is a lack of security awareness when it comes to smartphones.  This issue is made more difficult by people making the claim that smartphones are "more secure" then PCs (whatever that means), and that somehow people don't need to be as security minded about their smartphones like they are with their PCs, especially if its a personal phone.

I'm sorry, but I find that an irresponsible attitude.

HackMiami 2013 Conference Report

This past weekend (May 17-19), the hacker group in my local area HackMiami had their first conference, HackMiami 2013 and I attended.  While not a member of the group, I have heard of them, and we've had them help out with some of our South Florida ISSA events.  This is not an underground group.  Most of the members actually work with/for many local IT security companies.

This was a hacker conference, which is a little different from a traditional IT Security conference.  Some of the stuff done is a bit out there, there is expectation that the audience is more technical, and some sessions were more hands on then in most Security conferences.

Raspberry Pi as PenTest tool

I've previously mentioned the Rasberry Pi, the cool credit-card sized Linux computer that is very inexpensive, and can be easily attached to a monitor and keyboard.

Well, I came across this interesting posting at InfoSec Institute resources on using the Rasberry Pi as a Pentest system.

It looks pretty interesting.  There are already setup distributions you can download to a SD card that has all the Linux tools you'd need already setup.  The author shows 3 different distributions available.

Cybercriminals steal $45 million from ATMs: UPDATE 2

Another update posting on the recent cybercrime of $45 million stolen from 2 banks in the Middle East via pre-paid debt cards.

My first posting is HERE, the first update is HERE.

Another article I stumbled upon is HERE.

Per this article, the individual killed in the Dominican Republic (named in this one) is said to be the "mastermind" of the whole thing, not just of the US Cell.  Its claimed it was due to a dispute among rival gangs over the dispursement of the haul.  Still not sure if this means he's the overall mastermind, but does seem to indicate that he was killed by others within the overall scheme.

The article also reports that German authorities have arrested two Dutch nationals in connection with this crime.  It sounds like they were part of the large group hitting the ATM systems, so who knows were this will lead.

Again, as I see more will pass it allow.  You can help by adding comments about this matter.

HackMiami 2013 Conference this weekend

This weekend (May 17-19), local hacker group HackMiami is having their first conference, Hack Miami 2013.   While not a member of the group, I have heard of them, and we've had them help out with some of our South Florida ISSA events.

Overall, the conference looks pretty good.  They've organized 3 tracks, "old headz", "new headz", and "moral headz", so there should be a good mix of sessions to attend.

Seeing as how Hacker Halted USA isn't coming back to Miami this year (they're going to Atlanta this year), this may be the only major IT Security conference in the South Florida area.

Next week I'll post my comments on the event.

Congress votes on several cybersecurity bills

I try to stay away from politics in this blog, but a recent item I saw in another blog I have to pass along.

The original item is HERE.

This week, the House is voting on several cybersecurity bills.

Most important is the controversial CISPA (Cyber Intelligence Sharing and Protection Act).  On the surface, it looks pretty good, as it sets down standards for government and industry to share data on cyber threats.  But there are issues with privacy data being shared by industry (especially social networks) with the government.

3LM- what could have been

This posting may be a little different from what you might expect on a security blog.  One subject I've loved is history.  This means that often times I am interested in the history or development of technology or ideas in other areas I am involved in.  So this posting will take a look at the history and what could have been with one company.

3LM, 3 Laws Mobility, is (or I guess now was) a small firm involved in the overall Android MDM marketplace.  The name, an alusion to Asimov's "Three Laws of Robots", stood for the guiding principles of the company:

Protect your user. A mobile device may not harm its user or, through inaction, allow its user to come to harm though malicious code or content.

Protect yourself. A mobile device must protect itself and the integrity of its data and secured communications.

Obey. A mobile device must let the user use the device freely, as long as such usage does not conflict with the First or Second Law.

The company's product was not something that was sold to the end users or to enterprises.  It made changes to the Android OS, and so would be something the device manufactorers would encorporate into their builds of Android on their devices.  This would extend and enhance Android, making it easier to be managed by other products.

Frankly, stuff that probably should have been in Android in the first place.

Cybercriminals steal $45 million from ATMs: UPDATE 1

The matter of the $45 million stolen worldwide by a cybercriminal ring is something I plan to keep an eye on.   See my previous posting on it.

In a search of news items, most seem a repeat of what we've already seen.  A new article I saw in Forbes HERE does delve into how they got away with it.

Per the author, there are 4 things the thieves exploited:

1. Using pre-paid debit cards
2. Using cards with magnetic strips instead of chips
3. Breached oversees card processors
4. Large number of confederates utilizing cards worldwide

Each of these had their own issues.  The thing with using pre-paid debt cards is that unlike credit cards, there is no usage of buying habits to discover issues.  As I had both my main credit card numbers stolen recently, I know that it was by their unusual buying habits that this was caught.  (one card they started to use down in Brazil, the other was to make purchases across the state from me).

While some credit cards can have smart chips in them, they are sadly not universal in the US.  Magnetic cards are easily cloned, not an issue with smart cards.

The usage of oversees processors shows the weakness of their process.

And usage of all their confederates spread the risk to a large number.  There is the possibility that the use of them could be tracked back to the ringleaders.  This remains to be seen.

I still wonder why only cards issues by 2 banks in the Middle East were targeted.  There must be a reason.  And who killed the leader of the US gang in the Dominican Republic.  Hopefully as this case progresses, we'll learn more.

Mini Android PC

In a previous entry, I pointed out some of the interesting mini-computers that are now out there.  The most well known of these are the Rasberry Pi and the BeagleBoard.  These mainly run Linux, tho there is work being done to put other OSs on them.

I think from a research perspective, these give some interesting avenues of investigation for security matters.  Especially at such low cost, one could have several devices to test against.  Instead of having a rack of full blown PCs, one could have several such mini PCs.

For those wanting to research Android security, things seem kind of slim.  I don't like the idea of using my own smartphone for such work, tho I could see using a separate pre-paid Android phone for this.  But that could still get costly.

Cybercriminals steal $45 million from ATMs

I hope that most IT security people are taking a look at the recent cybercrime that broke in the last couple of weeks, of an organized group of criminals who stole $45 million from ATMs thru the use of pre-paid debit cards.  This happened in February of this year, and only came to light recently.

From the information so far, they did this by exploiting 2 weaknesses:

• Broke into bank computers and stole prepaid debt cards, erasing their withdrawal limits.
• Got the data into the hands of others who cloned the cards and hit numerous ATMs.

And apparently, doing this two things in coordination is what made this successful for this group.  Better oversight could have stopped the first.  And the use of smart chips instead of magnetic strips in cards could have dealt with the second, but this is rare in US credit/debit cards.

We are seeing the rise of such organized cybercrime.  And frankly, the numbers in just this case are staggering:  thieves were in 27 countries, and they made about 36,000 withdrawals over 10 hours to accumulate $45 million.  That works out to about a withdrawal of $1,111 every 10 seconds.

All the cards stolen were MasterCard prepaid debit cards, and only 2 banks were targeted.   In December, it was cards issues by the National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates.  Then in February it was cards issued by the Bank of Muscat in Oman.  I have to wonder if there was a reason those banks were the target.

What I haven't seen is the size of this overall group, which may not be known at this point.  A small group has been arrested in the US (apparently the "US cell"), and another individual who was apparently the leader of that cell was killed in the Dominican Republic (by who is not clear).   What about the overall ringleaders?  Maybe they killed the guy US ringleader to prevent any links back to them.  (yeah, I guess I read too many thrillers...)

Am sure we will get more info on this case as it moves along.  I wonder how procedures may be changed or improved in light of this.

Here are some of the articles on this matter:

Global Post on the heist.   Business Insider on how it was done.   NPR on it.
Dark Reading on the 8 caught in NY

Android security books, finally

Ok, I will admit to being a bibliophile.  I love books.  When it comes to systems support, I like having the official manual and materials, alongside the best "unofficial" works.  These, I find, usually help me find the answers I need.  On-line resources are great, but it can be a bear to have to search thru so much to find an answer.

In the area of Android, there has been several books on developing apps for Android, but nothing (so far) on Android security.

Well, what seems to be the first of what looks like several works, we finally have an Android security book. I haven't gotten a copy yet, but hope to.

Smartphones approved by DOD

Some recent news items indicate what smartphones the DOD has approved for use.  (read THIS and THIS)

For those not aware, the DOD bases this decision on their Commercial Mobile Device Implementation Plan.

From the news items, they have approved:

• iPhone iOS 6
• Blackberry 10
• Samsung Galaxy devices with Samsung's Knox

That's it.

No other Android devices (which is interesting, as Motorola Solutions came out with a highly secure Android phone recently).  No Windows Phones.  Will they approve more in the future?  Not clear.

For those not aware, Knox is a security add-on to Android created by Samsung.  You can read more about it HERE.

I need to look further into Knox.

Google Glass security

I think for any IT person, you have probably heard about Google Glass, Google's latest hi-tech gadget.

Not yet on the market, its now out in the hands of several, for lack of a better term, beta testers.  (heck, considering who I worked for, I had hoped that group I was in might be able to test it out as well, and I might be able to try it out.  Won't happen now.) 

I've seen a lot of articles on Glass, how useful it will (or won't) be.  I've even seen stuff on Glass 'etiquette'.  (hey, you're basically strapping a video camera to your face!)

What I haven't seen much about is security.  Why should I not be surprised?

Tablets are doomed. Whine, whine, whine.

Ok, this posting is a little off the topic of security, but just wanted to comment on it.

First, we get THIS announcement by Blackberry CEO that tablets are doomed, they have no future.  I guess since RIM/Blackberry failed with there take on a tablet, that makes them an expert on this.

Then we get THIS from Microsoft Chair Bill Gates that iPad users REALLY want is a MS Surface, cause you need a keyboard and office suite to do 'real' stuff.  I guess since sales of MS Surface are super great, he's right.


Frankly, I think both are wrong.

There is no way of knowing the future of tablets.  You can't predict these things.  I'm still waiting for my jetpack I was promised for the 21st Century.  And my flying car.

And Gates is off.  Many people who use tables don't care about the lack of a keyboard or an office suite (which here means MS Office, forgetting that tablets can easily access suites like Google Apps, etc.).  And if you need a keyboard with a tablet, that can be done via a bluetooth keyboard.  Motorola Mobility offers one that can used with their tablet and I'm sure others.  But most tablet users (myself included) would rather use a REAL PC with a REAL keyboard when they want to do work that requires extensive typing and such.

Now back to security.

BYOD will become a requirement by 2017

For those keeping an eye on the whole BYOD/MDM field, there is a new study from Gartner that says that by 2017, half the companies of the world will have a BYOD policy and will NOT provide such devices to their employees.

HERE is a link to an article at CIO Magazine on that.  THIS article at CIO Magazine also covers it.  THIS article at ZDNet has even more info on the report.

Also, per the report, 15 percent will never used BYOD, while 40 percent will offer a choice between corporate provided or employee provided devices.

This, to me, means that dealing with BYOD and MDM becomes that much important in the years to come.

As to the original report, I can't find a free copy of it on-line.  HERE is Gartner's press release on it, and link to the report, which must be paid for.

ACLU sues carriers over updates for Android

I came across this item from last month that made me go "say what?!?"

ACLU sues carriers over Android updates.

Wow.

So why care about this from a security standpoint?  Well, delays in updates leave Android phone vulnerable to hackers.  It also leads to some taking matters into their own hands to update their phones themselves, which also makes their phones vulnerable.   Neither option is good.  Damned if you do, damned if you don't.

As an Android user, I can understand this.  My phone is still at 4.1.2, when the latest is 4.2.2.

And the process of updating Android phones is complex.  More so then some people think.  It's not like when MS has an update to Windows.   Google releases a new version (after its been released for Nexus phones) to manufacturers, who must modify and test it on their phones, then turn it over to the carriers for their testing and verifying before it gets released to user's phones.  The whole process delays things longer then most people would like.  And there is no guarantees that a new, official, version will be provided for your particular phone.

It remains to be seen if this improves things or not.

We'll have to keep an eye on this.

Smartphone as bank account

In 2012 I made a presentation at our local security conference (South Florida ISSA Chapter) on smartphone security.  Part of what I presented was the trends I was seeing at the time, based on reports.  Some most people are aware of:  smartphones overtaking "feature phones", smartphones overtaking laptop/PCs in sales, etc.

Another trend I point out I think is not so well known, at least here in the "developed world".  That of smartphones becoming the first, maybe only computing device of people in the "developing world", but of also becoming for them the equivalent of a credit card or bank account (checking account).

Security of the Internet of Things

Have you heard about the "Internet of Things"?

I have, thanks to trying to keep up with the whole Maker/DYI area, especially with things like Arduino, Raspberry Pi, BeagleBoards, and the like.

The whole idea, from a techie standpoint is pretty cool.  All these little devices able to communicate with each other and to other devices like computers and the like, usually wirelessly (WiFi or IR or Bluetooth).  Neat.

But what about security?  Has anyone thought about that?

Everyone gets excited by the possibilities, but sometimes forgets about that.  Even me.  The whole thing seems cool and exciting, and security was furthest from my mind.

But it looks like others aren't ignoring that.  In my research into MDM vendors, I came across one vendor that has a broader focus then just mobile devices to include the "Internet of Things":  Mocana.  This is not an endorsement of them, but I find it interesting that they do have stuff covering the Internet of Things as well as mobile devices.  Am still looking over what they have, but others may also benefit by taking a look at their blog, their webinars, and reports in this area.

There are several book at Amazon on the Internet of Things.  The only one I have is the one from O'Reilly/Make:

Check it out. 

Smartphone security

Smartphone security is a topic I've had an interest in for several years.

It doesn't help that for my entire IT Security career I've worked for a major cell phone company.  During that time, I've seen the emergence of smartphones.  I had one of the early Windows-based phones, which was nice (tho limited).  Later I moved to an Android phone, which was even better.  (so far I've gone thru 3 Android phones)

And I've watching how things have changed.  Early on at the company, we saw our executives make use of smartphones not just as a companion item (like the early PDAs), but almost as a replacement for their desktop/laptop computer.

Introduction to a new blog

Welcome to a new blog on IT Security.

Yawn, I bet some will say.

Well, ok.

Who am I and why should I write this?

Well, I am a Senior IT Security Professional (sadly between jobs).  Maybe I'm not at the top tier of the "movers and shakers" in the Security world.  I'm not a hacker.  I'm more of a researcher, an explainer of things.

I read stuff.  I discover stuff that some overlook.  Maybe I don't have something new and original, but maybe I bring up stuff you haven't heard of before.

A big focus of this blog will be mobile device security, as it's an area that has interested me for the last couple of years (working for a major mobile device manufacturer can do that).

I hope you'll join me.

Michael R. Brown