Content

New FDA Guidance on Medical Device Cyber Security

Friday 14 June 2013 - Filed under cybercrime + New Technology + Security Regulations

The FDA has released new guidance on information security practices for medical devices. Many hospital’s information security staff are left to battle medical device vendors on their poor (or often non-existent) practices in maintaining software security patches and updates, and can refuse to support the device if these patches are applied by the hospital IT staff. One of the items these vendors can claim is the need to involve a 510K re-certification after any security updates are applied. The clear answer from the FDA is that security patches do not need to go through this re-certification unless there is an atypical circumstance in which this change would be expected to have a potential to effect patient life safety.

The FDA’s guidance from 2009 additionally fails to explicitly assign responsible parties, leaving the vendors room to debate the issue into submission. The guidance released yesterday resolves many of these loopholes and reminds health care facilities that unaddressed non-compliance in a vendors security practice should be reported to the FDA’s Medical Device Reporting (MDR) program.

Tagged: » » »

 ::  Share or discuss  ::  2013-06-14  ::  Joshua Spencer

Your Gmail has been hacked. 10 things you must do NOW!

Tuesday 21 May 2013 - Filed under cybercrime

Hacked GmailGmail accounts being compromised by hackers and spammers happens all too often. If it hasn’t happened to you directly, you have undoubtedly received bogus emails from your contacts that were taken over by hackers, peddling work-from-home offers or often just a lonely unassuming (but malicious) link. If you or a friend are ever in this situation, there are ten steps to gain control of your account and make sure the bad guys don’t get back in.

  1. If you no longer have access to your account, you can fill out the Gmail Account Retrieval Form.
  2. Scan your computer for viruses and malware. This is the most common way that the hackers get your password in the first place.
  3. Change your password. Your password should not be easy to guess and you should not use your email password on other websites. The second most common way that the spammers get your password is by breaking into less secure websites that store your password.
  4. Verify your mobile phone, security questions and alternate email is correct. Often times the bad guys will change this information to their own so that they can get back into your account after you reset your password.
  5. Enable two factor authentication. When you (or the bad guys) try to login to your account on a new computer, Google will send you a text message with a second password that the hacker’s don’t have access to.
  6. Check your signature and vacation responder. Many times, the spammers will leave their links in your signature or out-of-office reply so that you continue to send their spam emails after they have lost control of your email account.
  7. Delete  any unfamiliar email accounts set to “Send mail as” in your Gmail account settings. Spammers will often attach your email account to theirs using this setting, which allows them to continue to send email that looks like it comes from you.
  8. Delete any services that you do not recognize in “Connected applications and sites”. These 3rd party application and sites can still be used to send messages to your contacts.
  9. Check email filters and remove any that forward emails to an unknown email address or that delete messages. Often times, the hackers will simply tell Gmail to forward your emails to their email account and delete your copy. For example, they will create a mailbox rule that forwards any message with “Your temporary Chase.com password” and then deletes the copy on your account. Long after you have control of your email back, they can still reset your other important accounts.
  10. Make sure you keep your system up to date with security patches, particularly your web browser, operating system, Adobe Flash, Adobe Reader, antivirus and Java security updates.

Following these ten simple steps, you are guaranteed to have a much safer email experience, and hopefully never have to go through the hassle and embarrassment or recovering your account from spammers.

Tagged: » » » » »

 ::  Share or discuss  ::  2013-05-21  ::  Joshua Spencer

Top 15 Information Security Interview Questions

Thursday 18 April 2013 - Filed under Professional Development

An information security program is only as good as the people that comprise it. This is why it is critical that you identify the best job candidates and weed out the rest during the information security interview process. Over my career, I have battle tested these interview questions, adding them and dropping them to get my final refined list that fits into the 30 minute final interview. These questions assume the candidate has had a basic level of technical screening. Here are the questions I typically use, and the explanations behind each.

#1) What attracted you to the field of Information Security?
I want to see if this candidate started because they saw a paycheck, or if they are truly passionate about the field. A great information security interviewer will have a passion for their profession, that carries over into the quality of their work and the effectiveness of the InfoSec program.

#2) What brings you to us?
This question is designed to elicit why they are looking for work. A response from the interviewer that they are here because they burned down their old company and now need a new place to work would of course raise a red flag.

#3) Do you pursue any information security research outside of your current employer?
I like to see candidates who enthusiastically brag about their test lab at home, or what they have recently done at an Information Security conference or convention. I want people on my team who take pride in their work, not a ticket pusher who is just in it to close as many tickets as possible and go home.

#4) Why would you like to work in this position?
This question often identifies candidates that have the wrong impression of the day-to-day duties for the information security job. If I am hiring for an information security policy analyst then I don’t want their entire answer to be how much they enjoy systems security auditing.

#5) How did you find out about this job?
This is one of those unintuitive questions that consistently reveals information about the candidates motivations for interviewing. I like to hear that they hear about the job through industry publications or associations, in that they are more likely to be passionate about the field and the future work that they do. I also like to hear referrals from other company employees or that they are internal candidates, which means that the interviewee already has knowledge about the company culture.

#6) How have you used <insert resume keyword here> in your career?
This is a question that many times has ended the interview once it became apparent that the employee does not know anything about the acronyms listed on their resume, aside from what they studied on their CISSP or CEH exam. I have found candidates can almost always give you the definition of any term or acronym on their resume, but a surprising number that fudge their resume can’t tell you how it is used in the real world.

#7) How do you keep up to date with new information security risks and threats?
A junior information security analyst with up to date information on the latest threats and risks is just as valuable, if not more so, than a senior information security analyst who is basing his or her decisions off of information that is ten years old. This question also keys in on the employees interests. If they list off a number of news sites that all deal with forensic investigations, and they are being hired as a data loss prevention specialist, then this may be a sign that they are desperate for work and will take a job that does not match with their skills and more importantly their interests.

#8) How would you respond to a user asking if they can FTP our employees SSN’s to our health insurance company to perform reconciliation?
A bad answer is “tell them they can’t do it because FTP is not secure”. An information security specialist needs to be a part of the solution. A good response is when the interviewee points out not only that FTP is not secure and why, but that there are more secure options such as sFTP, or if the interviewee would dig deeper into the user’s need to send full SSN’s in the first place.

#9) How would you explain what a SSL certificate is to your aunt or uncle?
This question will demonstrate the ability for the candidate to convey technical information to a non-technical crowd, which is important for most positions I have hired for. If the candidate throws alphabet soup in his explanation (TKI, OU, MD5), he or she may have communication issues when hired. I used to ask for an explanation to your mom, but “aunt or uncle” has a much less likely chance of hitting an emotional chord if their mom is deceased.

#10) What is your experience with…?
If I see a gap in the interview candidates resume for a critical job function, I’ll make sure to determine if it is something that they have no experience with, or just didn’t have room for in their resume. Common items include:

  •     DLP (Data Loss Prevention)
  •     Vulnerability Management
  •     Penetration Testing
  •     Web Application Security
  •     Network Scanning
  •     Information Security Frameworks (e.g. NIST, ISO, HITECH)
  •     Industry Regulations (HIPAA, PCI, HITRUST)
  •     Experience with Ticketing Systems
  •     Antivirus Products and Infrastructure Design
  •     Log Manager \ SIEM
  •     Information Security Training
  •     Policy Creation and Management

#11) How will your past experience help the team to be successful in this position?
If the interview candidate is only strong on paper, this question will show it. The answer typically shows if the person is simply academically knowledgeable or real-world knowledgeable.

#12) What metrics do you see valuable in this field?
This question is designed to put them under stress, and requires the right follow up questions to be effective. For example, if the candidate answers “Number of infection attempts”, ask what to do when the number goes down. Does down mean good because less workstations are being infected or does up mean good in that the infection attempt was detected and thus not allowed to succeed. Perhaps down means good because users are following safer internet browsing activities, or perhaps up means good because users are installing antivirus more consistently.

#13) What are your strengths in this position?
This is a standard question designed to highlight where the candidate sees himself strongest.

#14) What are your weaknesses in this position? Alternately, what area’s do you see the most growth needed for this position?
The way the candidate handles this question is typically more enlightening than what they actually say. The typical candidate struggles to walk the fine line between a BS answer and an answer that will not scare the interviewer off. I make sure to record my notes to the candidates answer while the candidate is answering the next question, to avoid sweaty palms and the candidate getting overly defensive about his answer once he or she sees you making notes.

#15) What has been your most important work-related idea?
I like to end the interview on a high note, and this gives the candidate a chance to brag about his past accomplishments. A big red flag, and one I see too often, is when the candidate can’t come up with any accomplishment worth telling us about. If I am looking for a position that needs to transform the practice or procedure of my organization, not having any track record of success will go far towards eliminating him or her from the running.

1 comment  ::  Share or discuss  ::  2013-04-18  ::  Joshua Spencer

Dropbox not Suitable for HIPAA or PCI Data

Monday 7 November 2011 - Filed under Cloud Computing

It’s good to get reminders of what we hopefully all know as security professionals, that Dropbox is not a solution for PHI, PII, PCI payment card data, or confidential financial data. Read on for the full story…

Analysis: Dropbox Carries Risks For SMBs
By Edward F. Moltzen, CRN
November 04, 2011 3:50 PM ET
http://www.crn.com/news/cloud/231902380/analysis-dropbox-carries-risks-for-smbs.htm?pgno=1

Dropbox, known as a purveyor of cheap cloud storage for consumers, is now targeting small and mid-sized businesses with a new service offering. However, SMBs considering the service need to bear in mind that it lacks key compliance certifications many businesses need, potentially leaving them open to significant financial penalties.

The new Dropbox for Teams cloud storage service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law, executives and media representatives from the San Francisco-based company confirmed to CRN this week.

Failing to meet compliance requirements could carry catastrophic consequences to SMBs, including some businesses that Dropbox is targeting with its Teams cloud storage offering. Dropbox executives, though, defend the product saying customers who beta-tested it prior to launch were concerned with collaboration and ease-of-sharing, not PCI, HIPAA or SOX.

“This is not what our customers are asking about right now,” said Chenli Wang, team lead of business and sales operations for Dropbox regarding Dropbox for Teams’ lack of regulatory compliance. “But there are things we always evaluate. We are just getting started.”

Wang noted that SOX compliance is aimed at publicly traded companies, which Dropbox is not targeting with Teams. HIPAA compliance, he said, is “more complex” because “it is not just about the technology compliance, but also data access and practices. That is more around how the businesses themselves enforce policies.”

Still, Wang said, HIPAA compliance is an area that “we may potentially look at.”

With PCI compliance, Wang said, that benchmark is more directed at the storing of customer credit card and personal data and “that’s not what they’re using [Dropbox for Teams] for.”

The build out of cloud-based storage solutions, for both businesses and individual consumers, is encountering a push-pull between cost in a price-sensitive environment and need for security, privacy and regulatory compliance.

However, for many businesses, compliance could be the whole ballgame.

For example, here is what Bank of America says in an online FAQ about what happens to a business that does not comply with PCI regulations:

“If you do not comply with PCI [Data Security Standard], your business may face significant financial and reputational risks.

“If your cardholder data is compromised, you could be required to reimburse us for card brand fines ranging up to $500,000 per incident, as well as subsequent fraud losses incurred by card issuers resulting from the compromised card data, which may exceed fine amounts.”

In addition, Bank of America says, a business could have its entire account blocked for a lapse in PCI compliance. And that’s even if a business conducts fewer than 20,000 credit card transactions in a year.

With HIPAA, health care providers themselves are often small businesses with the same regulatory compliance requirements as large, multi-global health insurance companies.

Even SOX requirements could be a factor for small, privately held companies. Under the act, third-party providers of significant services to publicly traded companies — like VARs or consultants — have to maintain the same controls as the publicly traded companies themselves. So the impact of non-compliant technology in even smaller organizations could loom large.

Wang acknowledges that Dropbox does not provide any warnings for small businesses with its Dropbox for Teams service to let them know the risks of storing regulated data on its non-compliant infrastructure.

PCI compliance, Wang said, “may apply to a small subset of potential customers. For the vast majority,[the focus is on] collaboration and creative assets. We’re not talking about bank statements.”

He said that security, and functions like encryption, were in fact considered and included in the development of Teams, and customers have been happy with that. His comment comes after some customers of Dropbox’s consumer service have had security complaints.

In unrelated cases, Dropbox has been fending off customer concerns about its security for some time. Those concerns — which have led to at least two lawsuits and a complaint with the U.S. Federal Trade Commission — include the alleged access of some Dropbox employees to individual customer data, as well as a one-time glitch that allowed some customer data to be accessed even without a password. Dropbox has been defending itself vigorously against criticism of its security, however, and has not been deterred in working to expand its addressable market.

Launched primarily as a consumer-focused tool for storing a small capacity of data online, Dropbox last month disclosed that it was launching Teams for collaboration — targeted at SMBs. Dropbox for Teams, which is sold directly online, is priced at $795 per year for use by up to 5 people. Dropbox advertises Teams as providing “bank-grade” encryption, and the service allows for quick sharing of data stored in its online service — including via Apple’s iPhone.

The market for cloud-based collaboration and storage is crowded, and there are competing solutions that do provide regulatory compliance and channel support. These solutions include, for example, IBM’s IBM Lotus Connections combined with IBM Vantage.

On the issue of working through third-party solution providers, Wang said the company only sells Dropbox for Teams direct, not through a channel of solution providers

While Teams may address needs for quick, low-touch solutions for cloud-based collaboration and sharing in an organization, the unaddressed risks it brings may become an increasingly important topic of conversation for even the smallest of businesses. The sooner and more focused that conversation begins, the better.

For now, there appears to be nothing wrong with using Dropbox’s base consumer service for storing innocuous files and having access to them across platforms. Moreover, many organizations may even find Dropbox for Teams to be a solid offering that is easier to use for file sharing and storage than e-mail.

However, for others, there may be $500,000 (or more) worth of reasons to be cautious about taking the quick, cheap and easy route.

 ::  Share or discuss  ::  2011-11-07  ::  Joshua Spencer

Facebook Allows your Friends to Reset your Password

Monday 31 October 2011 - Filed under Uncategorized

Facebook receives an ungodly amount of calls and emails from users who have been locked out of their accounts. In response, Facebook now allows you to designate “trusted friends” that can help you reset your password through codes sent to their account. This ushers in a new breed of possible social engineering tactics, no longer relying solely on the security mindedness of the end user. While most Facebook users will not be worth a hacker’s time, high value targets should make sure to choose trusted, and security conscious, friends carefully. This is also true should you simultaneously offend all of your trusted friends at one time, as they could pool their resources to take control of your Facebook and enact revenge. Read on for the full story…

Facebook adds ‘trusted friends’ and app-specific passwords
By Rosa Golijan
http://technolog.msnbc.msn.com/_news/2011/10/27/8508512-facebook-adds-trusted-friends-and-app-specific-passwords

In honor of National Cybersecurity Awareness Month, Facebook reminds its users of existing security techniques and tools — and adds some new features which will supposedly keep you more secure on the social network.

A blog post by Facebook’s security team — yes, there really are teams dedicated to such things at the company — explains that two new features are being added to users’ account settings: Trusted friends and app passwords.

The first of these two features — trusted friends — is intended to help you access your account if you are ever locked out of it for some reason:

Trusted Friends will let you select three to five trusted friends who can help you if you ever have issues accessing your account. [Facebook will] send codes to the friends you have selected, then you can log back into your account using these codes after your friends have passed them along to you.

Now while this feature sounds great in theory, there’s also potential for abuse. Your supposedly trustworthy friends could easily request the reset codes on your behalf and then share them among each other in order to have all the information necessary to kidnap your account for some sort of nefarious (or hilarious) purpose.

In other words: Be very, very careful when it comes to selecting guardians for your Facebook account.

National Cybersecurity Awareness Month Updates
by Facebook Security
https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-month-updates/10150335022240766

The other new feature — app passwords — is supposed to help keep your Facebook account safer by providing you with a unique password to use with apps. You’ll generate these app-specific passwords by as necessary and simply enter them in place of your regular password when using third-party apps such as Spotify, Skype, and so on. You will be able to forbid a specific app from accessing your account by simply deleting the password you’ve generated for it at any time.

Security and safety are at the core of Facebook. We have entire teams dedicated to building tools that give people even more control over their account and specifically the way they access their information. In fact, many of our most talented engineers are working exclusively on creating a secure environment on Facebook. This October, as part of National Cybersecurity Awareness Month, we are working with others in the community to help educate people about techniques and tools for securing your devices and networks. Additionally, we thought this would be a great opportunity to tell you about some of the systems working behind the scenes to keep you and your data safe.

Today, we wanted to give you an update on some new features we will be testing in the coming weeks – Trusted Friends and App Passwords – and remind you of the many user tools we offer to help keep you secure on Facebook.

We’re excited to begin testing this new tool to help you in case you ever get locked out of your account. Similar to other features that help you prove your identity through your friends, you can now select three to five trusted friends who can help you if you ever have issues accessing your account. It’s sort of similar to giving a house key to your friends when you go on vacation–pick the friends you most trust in case you need their help.

If you forgot your password and need to login but can’t access your email account, you can rely on your friends to help you get back in. We will send codes to the friends you have selected and they can pass along that information to you.

App Passwords

There are tons of applications you can use by logging in with your Facebook credentials. However, in some cases, you may want to have a unique password for that application. This is especially helpful if you have opted into Login Approvals, for which security codes don’t always work when using third party applications.

We are testing a feature that allows you to use app passwords for logging into third party applications. Simply go to your Account Settings, then the Security tab, and finally to the App Passwords section. You can generate a password that you won’t need to remember, just enter it along with your email when logging into an application.

Over the past few years we have introduced a number of new security tools – Login Approvals, Login Notifications, and One Time Passwords to name a few. In addition, we have developed several back-end systems to help keep you and your data secure. To better illustrate the full range of these features and show how they all work together to keep you safe while on Facebook we are releasing this infographic. Check it out to learn more about our security infrastructure and an overview of the tools available to all our users to increase their level of account security.

Our considerable work has undoubtedly made Facebook a safer environment – less than half a percent of users experience spam on any given day and only a fraction of a percent of our users ever experience any security-related issues. But we know there is plenty of more work to be done and we will keep striving to make sure that every time you log in to Facebook, you have a safe and social experience. We are adapting and responding to new threats everyday and will continue to roll out new ways to protect your account. Be on the lookout for more announcements throughout the rest of this year, and remember to stay vigilant while online and remind others to do the same.

 ::  Share or discuss  ::  2011-10-31  ::  Joshua Spencer

US Government Satellites Hacked

Thursday 27 October 2011 - Filed under cybercrime

On the heels of the news that US Predator drones control stations were infected with malicious code, comes news that hackers managed to successfully penetrate US government defenses and gain operational control of two satellites, the Nandsat 7 and Terra AM-1. No major conclusions can be drawn from the limited information, but the upcoming report from the U.S.-China Economic and Security Review Commission should shed some light onto just how concerned we should be. Read on for the summary from Net-Security.org…

Hackers attacked U.S. government satellites
http://www.net-security.org/secworld.php?id=11853

Two U.S. satellites have been tampered with by hackers – possibly Chinese ones – in 2007 and 2008, claims a soon-to-be released report by the U.S.-China Economic and Security Review Commission.

The two satellites, Landsat-7 and Terra AM-1, had been interfered with on four separate occasions, allowing the attackers to be in command of the satellites for two to over twelve minutes each time.

Luckily, both of the satellites are used only for observing the Earth’s climate and terrain, and the hackers never actually misused their control over them in any way. But the compromises have definitely been taken very seriously, since future targets could include satellites with more sensitive functions, such as those used by the U.S. military and the various intelligence agencies for reconnaissance and communication.

According to Bloomberg, the report does not indicate whether the hackers behind the intrusions were state-sponsored or not, but it implies that the nature of the attacks and the targets seem to be consistent with Chinese military plans in case of open war, which include the disabling the enemy’s space systems and the ground infrastructure through which they are controlled.

According to the report, the control that the hackers had over the two satellites for those brief periods permitted them to damage or destroy them, or to block or falsify their transmission.

Since the satellites are controlled from the Svalbard Satellite Station in Norway which often uses the Internet to transfer and access files, it is deemed highly likely that the hackers have managed to insinuate themselves into the station’s system through its Internet connection.

 ::  Share or discuss  ::  2011-10-27  ::  Joshua Spencer

Taking your Browser to the Cloud, the Next Evolution in Cloud Computing

Monday 17 October 2011 - Filed under Uncategorized

As scary as it seems, this is the future of mobile browsing. Add to the fact that where there is user tracking data to be collected, network providers have never been bashful about using this data to line their pockets. Hopefully, there will be enough media coverage to work out the information security and privacy concerns before we see the userbase grow too far. Read on for the summary on Amazons blog, and let me know what you think about this in the comments…

Introducing Amazon Silk
September 28, 2011 by The Amazon Silk Team
http://amazonsilk.wordpress.com/2011/09/28/introducing-amazon-silk/

Congress is trying to wrap its collective head around Amazon’s new Silk Web browser. At a privacy hearing yesterday, Rep. Joe Barton (R-TX) expressed outrage at the way Silk’s ‘split’ design can funnel all user browsing data through Amazon’s backend servers. ‘My staff yesterday told me that one of our leading Internet companies, Amazon, is going to create their own server and their own system and they’re going to force everybody that uses Amazon to go through their server and they’re going to collect all this information on each person who does that without that person’s knowledge. Enough is enough.’ Today came a similar shot from the other side of the aisle, with Rep. Ed Markey (D-MA) dashing off a letter (PDF) to Amazon CEO Jeff Bezos about the same privacy concerns. ‘Consumers may buy the new Kindle Fire to read 1984, but they may not realize that the tablet’s “Big Browser” may be watching their every keystroke when they are online,’ Markey said in a statement.

Today in New York, Amazon introduced Silk, an all-new web browser powered by Amazon Web Services (AWS) and available exclusively on the just announced Kindle Fire. You might be asking, “A browser? Do we really need another one?” As you’ll see in the video below, Silk isn’t just another browser. We sought from the start to tap into the power and capabilities of the AWS infrastructure to overcome the limitations of typical mobile browsers. Instead of a device-siloed software application, Amazon Silk deploys a split-architecture. All of the browser subsystems are present on your Kindle Fire as well as on the AWS cloud computing platform. Each time you load a web page, Silk makes a dynamic decision about which of these subsystems will run locally and which will execute remotely. In short, Amazon Silk extends the boundaries of the browser, coupling the capabilities and interactivity of your local device with the massive computing power, memory, and network connectivity of our cloud.

 ::  Share or discuss  ::  2011-10-17  ::  Joshua Spencer

Dual-Mode Android Separates Your Personal Data from Your Work Data

Friday 14 October 2011 - Filed under New Technology

I cringe every time I connect my new Android devices to a corporate network, and have to accept the horrifying Terms of Service. Enterprise activation, required by most corporations exchange servers for using the built-in email application, allows an employer to wipe my device remotely, among many other scary things. This dual mode Android ability seems like the logical evolution of the new smart phone reality, that my phone is for business and pleasure… and I don’t trust my employer touching my personal data. Read on for the scoop from technologyreview.com.

One Smart Phone, Two Personalities
Thursday, October 13, 2011
By Tom Simonite

AT&T, the second largest wireless carrier in the U.S., and Qualcomm, which dominates the market for smart-phone processors, want to give your phone a split identity. The companies are separately adopting technology that can make a smart phone secure enough to keep IT bosses happy, but open enough to allow its owner to install apps or surf the Web.

AT&T will release its version of the technology, called Toggle, for Android phones this year. Someone using a device with Toggle installed taps the home button twice to flip between personal and work modes. The personal mode behaves like a regular phone and is fully under the user’s control. The work mode looks like a separate phone with its own desktop and suite of apps and is secured by a password. Its functionality is constrained by a company’s IT policy; all data stored or created under the work mode, whether e-mail, contacts, or Web downloads, is encrypted and can be remotely wiped if a phone is lost or stolen.

“People want to use their own smart phones and tablets for work, but that practice can create major headaches for businesses’ IT departments,” says Chris Hill, part of AT&T’s Advanced Mobility Solutions group. “Toggle helps resolve the issue in a simple, affordable manner.”

The smart phone boom triggered by Apple’s iPhone has caused a sharp increase in the number of people using personal mobile gadgets at work, a phenomenon sometimes referred to as Bring Your Own Device, or BYOD. Newer devices made the standard-issue corporate BlackBerry look clunky, and come with apps that can aid productivity.

AT&T’s Toggle is a rebranding of technology developed by Enterproid, a startup based in New York, which launched the technology in a closed beta trial earlier this year. Enterproid is also continuing to develop its own product, says cofounder Alexander Trewby. Android users can sign up to use Enterproid, which is currently free, here.

Trewby and colleagues are also working with chipmaker Qualcomm, which has made changes to forthcoming phone and tablet processor designs to better support Enterproid’s approach. “We will be integrated with their Snapdragon line of processors so we can store the encryption keys that secure our data in the silicon,” explains Trewby. That addresses a vulnerability where data could be stolen from a phone in work mode if an attacker gained root access to a phone and extracted Enterproid or Toggle encryption keys that are currently stored in the phone’s memory. Storing those keys in a device’s processor instead makes such an attack much more difficult, says Trewby, who notes it is even enough to satisfy military organizations.

Activating work mode on a device running Toggle or Enterproid allows access to a suite of basic apps for e-mail, Web browsing, and content management. Enterproid plans to launch its own app store to allow IT managers to remotely install apps on employees’ phones. Trewby and colleagues also hope to encourage developers to contribute apps. “We’re providing the platform for third-party developers, and they will be able to inherit our encryption and security into their own app.”

The fact that two companies as influential as AT&T and Qualcomm are backing Enterproid’s technology makes it possible that such a feature will become common for many smart phones and tablets. However, the approach will not work for the iPhone or iPad, which do not allow one app to run inside another. Apple also has tight guidelines for apps that rule out replicating Apple’s default interface.

Trewby says Enterproid has a good relationship with Apple, and he hopes that in the future, the company will allow a dual-persona system. But for the moment, Enterproid is working on a more basic iPhone app that keeps a work contact list secure.

“We’re seeing demand for a dual mode on iPhone, though, and our existing users on Android really like this approach,” says Trewby, adding that an application for hacked iPads, called iUser, implemented such a system and “got great response.”

Mike Sapien of the analyst firm Ovum says the Bring Your Own Device problem is serious enough to attract Apple’s attention. His company’s research suggests that 35 percent of people currently use a personal device for work data. Sapien says the number is likely higher because many people do so against company policy.

“I think it’s a big enough trend that Apple will find its own solution for this, probably with some key partners,” says Sapien, who notes that Enterproid could give Android phones a competitive advantage over Apple devices in the eyes of some consumers and company IT managers.

 ::  Share or discuss  ::  2011-10-14  ::  Joshua Spencer

100 Hackers Hired to Test 2012 Olympics Information Security

Tuesday 11 October 2011 - Filed under cybercrime

On the surface it appears that the brains behind the London Olympics are taking information security considerations seriously for the 2012 games. They have hired 100 pen testers to simulate a range of attacks on the 2012 Olympic games such as various DDoS and virus attacks, in order to ensure that they are protected from cyber attack during the games. Let’s hope that they included the most dangerous of them all in their testing, social engineering. Read on for the full story from Sophos…

London Olympic Games to simulate cyber-attacks
by Graham Cluley on October 11, 2011 | Sophos.com

The London 2012 Olympic Games will open in nine months’ time, and – away from the glories anticipated on the track and field – consideration is being made about how to defend the world’s leading sporting event from cyber-attack.

The Olympics’ Technology Operations Centre (TOC), located in Canary Wharf, was opened to the media yesterday. During the games, hundreds of staff will work at the centre, providing 24×7 monitoring of the Games’ technology infrastructure, including IT security.

London Olympics 2012 Technology Operations Centre

It was reported that the 2008 Beijing Olympics were on the receiving end of 12 million online attacks per day.

Of course, internet attacks come in all shapes and sizes, and some can be deflected very easily – so the large number of attacks at the last Olympic Games is not necessarily a cause for concern by itself.

Nevertheless, the rise of hacktivism and “doing it for the lulz” raises the specter of a larger number of individuals thinking it might be cool to interfere with the enjoyment of sports-lovers.

Possible threats which could disrupt the Olympic Games include denial-of-service attacks against official websites and malware infections.

London 2012Gerry Pennell, chief information officer for London 2012, has said that a key principle will be to “keep mission-critical games systems quite isolated from anything web-facing. So very much partitioned and separated, thus making it hard for an external attack to succeed.”

Well, that sounds sensible – but there’s nothing quite like testing the theory. And with that in mind, the computer systems behind the London Olympics will suffer simulated internet attacks in March and May, just months before the Games begin, to test that they can withstand a massive denial of service or a malware outbreak on internal systems.

“We simulate past competitions and we have a shadow team of about 100 people coming and creating problems – injecting viruses, disconnecting PC servers,” Patrick Adiba from Atos, the Olympics IT supplier, told the BBC. “We are using a simulation system so it doesn’t really matter if we corrupt the data. We simulate the effect and see how people react.”

Computer security is a very real issue for organizers of major sporting events, and there have been problems in the past.

For instance, in 2003 the Pan American Games held in the Dominican Republic were impacted by a computer virus that interfered with the results service. Media representatives around the world were unable to access the latest scores and results from competitions as the computer system was brought down.

Unless properly defended against, a group wishing to make a political point might find it all-too-tempting to launch an attack against Olympic servers or inject malware into a vulnerable website.

It’s good to see the London Olympics preparing for the worst case scenario, and we all hope that when the Games do open on 27 July 2012 they will do so without a hitch.

 ::  Share or discuss  ::  2011-10-11  ::  Joshua Spencer

US Air Force has Predator Drone Control System Infected

Monday 10 October 2011 - Filed under cybercrime + Information Leak

With the news of the USAF predator drone virus infection comes growing public concerns that the military is failing to provide adequate information security protections from  malicious attackers. Hopefully, an air gap is being implemented which prevented this infection from sending its payload “home”, wherever that may be.

Unfortunately, knowing the scale of the US military and the fact that there is no patch for human stupidity, I can say with confidence that events of this magnitude happen far more frequently than the public knows. What makes this event special is that someone (who I am sure received a severe tongue lashing if not termination) leaked this information to a reporter.

While this news story should raise the public’s awareness of the vulnerability to a US cyber-attack from foreign sources, there are much larger threats to the nation, largely from public industry. Frighteningly, the same SCADA vulnerabilities that caused an Iranian nuclear reactor to spin out of control are present in every component of American infrastructure. For more information on the need to protect our Infrastructure, you can visit the FBI’s InfraGard website and even join as a member to receive the latest updates and participate in the discussion. Read on to get the summary from Sophos…

Malware compromises USAF Predator drone computer systems
by Graham Cluley on October 10, 2011 | sophos.com

According to a Wired report, malware has infected the control systems used by the United States Air Force to fly Predator and Reaper drones, logging key presses as the unmanned aircraft are flown remotely in Afghanistan, Libya, Pakistan and other conflict zones.

The malware intrusion is said to have been detected by the Department of Defense’s own Host Based Security System (HBSS), but attempts to permanently remove the infection from one of America’s most important weapons systems have proven unsuccessful.

Inevitably there has been some concern in the media that malware could interfere with the flight of drones that are not just capable of surveillance, but can also carry deadly missiles to remote targets.

Questions are understandably being asked as to whether a remote hacker could interfere with the drones mid-flight, or send information to a third party about the drone’s whereabouts or intended target.

Wired quotes an unnamed source familiar with the infection as saying:

“We keep wiping it off, and it keeps coming back… We think it’s benign. But we just don’t know.”

Hmm.. If I “just didn’t know” I would assume the worst. In computer security, it’s always safest to assume the worst possible scenario has happened and take the necessary steps until you have proven that it hasn’t, rather than assume everything is ticketyboo.

US Air Force Chances are that the malware is a common-or-garden key logging Trojan horse designed to steal banking information rather than targeting the USAF. But if they are having problems keeping their systems malware-free, and have not identified the infection accurately, they should presume that it is more serious instead.

Predator and Reaper crews fly their drones remotely from an airforce base in Creech, Nevada. The computer systems used to control the weapons are supposedly not connected to the public internet – to reduce the chances of malware infection.

However, any IT administrator will know that simply disconnecting a computer from the internet does not make it 100% safe. Malware can be introduced via other means, such as a USB memory stick, as astronauts on the International Space Station discovered in 2008.

And that seems to me to the most likely vector (USB memory stick I mean, not outer space..) by which malware could have infected the drone computers, as it’s known that drone pilots use memory sticks to upload terrain maps and mission videos.

 ::  Share or discuss  ::  2011-10-10  ::  Joshua Spencer