Author Archives: Ryan Farmer

Privacy is always better through sepia-tinted glasses

Facebook-Acquires-Instagram

Instagram has done one thing well. And no it’s not turn HD 8MP snaps of man plus dog’s meals in to Polaroid-esque travesties of blurriness, reminiscent of ‘70s snappers. What the photo filter app-maker (or photo-sharing and social-networking service if you sign up to marketing hyperbole) has done though is highlight that there isn’t a total sense of apathy and disinterest in security and privacy amongst the greater public, they just need something to care about – a sepia-toned champion if you will.

As word of a renewed privacy policy swept across Twitter, Tumblr, and Pinterest, the cool kids were up in arms, albeit at the duress of coattail-riding ‘celebrities’ like Kim Kardashian (a more orange than sepia skinned hero granted, but we take what we can get). How can you not own a photo you took on your own phone? There is one school of thought here that rationalises the situation – you own the unaltered photo which you took; but as you’ve over-exposed/scratched/generally ruined it with their app, then the output belongs to Instagram. By their logic, any image manipulation produces a new photo that is the property of the editor. That’s the kind of proprietary nonsense that even Apple’s legal team would turn their noses up at. This isn’t something anyone wants – my HTC has similar filter editing built in, and plenty of HDRs and digital cameras do their own image and balance correction on-device. Whilst we’re on the subject of what you can do ‘on-device’, in what world did Instagram think it was a good idea to not let users take pictures offline? Seriously?

Despite what Instagram, Zuckerberg, or anyone else claims the true intention of the shift was, the subsequent backtrack was unsurprising both in its speed and scope of the policy turnaround. For a company fresh off the back of a $1bn acquisition and enjoying the associated buzz of riding the crest of the Facebook wave, the whole move was a PR disaster and the damage has already been done. If you believe some news outlets, the app has lost half of its daily user base as a result of the debacle, and competitors have stepped up to try and fill the ‘vintage filter’ void.

But is it fair to blame companies like Instagram, YouTube, Facebook, et al for tying to monetise their offerings? After all they host literally petabytes of users’ content. It isn’t just servers that cost, but staff, cooling, and ground rent. And really, what were they going to use those pictures for? Which third parties were they hoping to sell them to? As nice as that shot of a sun-drenched deckchair on Brighton beach is in black and white, it’s not like stock photo repositories are going to be teeming with low-res shots of your shenanigans for sale. Let’s face it, Instagram got jealous of Facebook and LinkedIn with their user content advertising, and got caught up in the ‘we should be doing that too’ mentality that is synonymous with social media… except they forgot to offer an opt-out like those other bastions of user privacy (eventually) did.

So there’s one very important lesson Instagram has given us – users care about privacy and security when they have a vested interest, if it’s something they use out of choice rather than necessity, they are more than ready to get up-in-arms about it. Well actually there are multiple lessons, but if there’s one more fortune cookie of wisdom here… It might be best to explain the purpose of a policy before rolling it out, even if it’s just for awareness, hearts, minds, and warding off mutiny.

Advertisements

If you like it, Google might put a ring on it

24973P

A recent Google Labs research paper explored ideas of alternative sign-in methods and securer authentication techniques. As anyone who has used Gmail over the last few months will know, Google are desperate to introduce secondary forms of verifying your identity; namely submitting your mobile number so that the Mountain View-based internet giant can generate a one-time password. A current pilot study being run out of the Googleplex explores the idea of the mobile device as (rather than generating) the password, this is the passdevice.

Google are desperate to get user security right. They have a large existing user base across their search, messaging, mapping, and video services, and are firmly established as a market leader in consumer email. It isn’t just email though; your Google credentials are the same across the entirety of their platform and product range. What we are dealing with here then is a cross-platform online identity. With the increasing monetisation of services such as Wallet and the Play Store, there is also a direct loss impact to be felt should account security be compromised. There is a direct financial incentive, in terms of profit rather than just loss prevention, as Google tries to assure us that is the homogenous web ecosystem… although let’s face it, no one is believing those Google+ user figures!

Search, Gmail, YouTube, Android OS, Play Store, Zagat, Maps, Motorola, Blogger, Drive, AdWords, AdMob, Analytics. Google offer a lot of free services, and constantly push the envelope in research (Goggles), only to scrap offerings that aren’t ‘working’ (read: not easily monetised) – Google Wave anyone? So there’s no questioning the value that they bring to the digital age, and the standing they have as one of the world’s most powerful (if not necessarily trusted – “don’t be evil”) brands. Is it that unreasonable then that they might ask something in return, something beyond $10-11bn/year profit and full knowledge of your online habits?

You see, Google are thinking along the same lines as Beyoncé here, if you like their services so much then you might as well let them put a ring on it. An authentication ring. Which all sounds very nice, until you start thinking that Web 2.0 giants like Facebook and Twitter, and arch-rivals Apple might like the idea – free advertising and the kind of brand commitment that wearing a real world ‘device’ entangles. The whole initiative would take some time to role out too, not just in terms of manufacturing and getting rings on fingers, but also in terms of devices and platforms that can read the token. Mobile phones are refreshed every 18-24 months, meaning that side of the industry wouldn’t take too long to catch up, but what about PCs – would a reader be connected via USB, retro-fitted, or built in during manufacture? And then there’s Apple, who haven’t exactly been playing ball with supporting their Californian neighbours’ products and services – considering the market share Apple still have in Western markets like the US and UK (and remarkably in Japan), then Tim Cook (Apple CEO) may be the biggest road block on the ring’s route to market.

As a principle there are pros and cons from a security and usability perspective with ‘ring-thentication’ – to name a few… Will it be resilient? Water-proof? Easily blocked and replaced if lost or stolen? Will remote and/or security updates be possible? There are still questions to be answered, but what the research paper does do is finally try to take on the challenge of user inertia towards security and passwords. It’s so simple a solution, that the user won’t have to do anything beyond making the initial decision to put the thing on.

One Acronym to Rule Them All…

Image

It seems that maybe MDM (Mobile Device Management) isn’t the most effective solution to an issue as broad and undefined as BYOD (Bring Your Own Device), although it certainly is a simpler one. At a recent CISO panel, Andrew Yeomans, a board member of the Jericho Forum and regular attendee of the RANT event for end user security professionals, was amongst other senior figures in the industry calling for a more effective and rounded solution.

Since the iPhone and G1 came along and convinced us all that PDA owners were on to something after all, the issue of secure mobility has arisen beyond the need to encrypt laptops and USB sticks. This has troubled CISOs and Information Security Managers who are reluctant to tell their CEO “no”; after all information security is positioning itself as an enablement function now. So how do you tackle the problem of making a consumer device, with little inherent security, sufficiently resilient to hold sensitive or regulated corporate data?

It seems at one point about 12-18 months ago, MDM was a possible solution, now it is often heralded as the only solution. So what’s the problem, other than licence fees from some vendors can reach towards £100 per device, and that’s without support or server costs… there is of course the additional strain on already understaffed security departments as well.

So why might MDM be the great info sec white elephant of 2012/13? The main difficulty all security controls encounter is user resistance, if something isn’t intuitive or streamlined it will often be circumnavigated. MDM may sound like a good blanket solution but it is addressing Bring Your Own Device, and therefore it’s presence on a personal smartphone or tablet is incredibly intrusive. It is harkening back to the darkest days of Draconian approaches to information security and risk management. To do the job properly MDM needs to lock down the full device and in doing so impacts user experience.

MDM is one solution to fit them all. Fine your product covers iOS, but is it compatible with the iPod Touch/Nano and the latest iPad Mini too? Yes you do Android, but does that cover Froyo, Gingerbread, ICS and Jelly Bean? And what about every manufacturer’s Android OS overlay, will it work on employees’ HTC, Sony Ericsson, Samsung, Motorola, LG, Huawei, ZTE, Acer, Asus, Dell and Panasonic handsets? Then there’s the Nexus and Kindle ranges. Fragmentation is a huge problem not only for compatibility but also from a functionality and support perspective. And what about reporting, how do you manage so many disparate devices, and where do you begin with e-Discovery?

Other acronyms don’t necessarily fair any better. MIM (Mobile Information Management) is also troublesome from a security and monitoring perspective; and MAM (Mobile Application Management) is again difficult for the user to adjust to, there’s a sacrifice of native apps and there’s a whole new aesthetic and ecosystem to acclimatise to. The idea of MAM through SDKs and API wrappers, features recently announced by both AirWatch and Webroot, will likely materialise to be the most effective solution in the long-term.

As it stands, for many MDM is too obtrusive a solution for personal devices and much better suited to locking down corporate mobility assets. We’re on the right path, but there’s a lot of work to be done in balancing security, impact, and usability. Come to think of it then, BYOD is just like most other security concerns CISOs have encountered over the last decade.

Getting in on the conversation

Nowadays if you’re not on a social network site like Facebook, LinkedIn or Twitter, you are seen as someone who is not with the program. It’s objectionable to some people, an affront even – why on earth wouldn’t you be connected?

This is an age of information, of conversation, both digitally and in person. We’ve never had so many channels through which to communicate with one another on such a grand, open scale. From one corner of the world to another we can navigate intelligent discourse on anything and everything, quickly and in person. The flow of content has never been so easy.

With this in mind, some hints and tips for security professionals looking to ‘get in on the conversation’, are as follows.

If you’re not already on a social networking site, then now is the time to sign up. While that may indeed be unlikely – we like to think you’re relatively informed about the virtues of such sites, personally and professionally – it is worth reiterating.

None of the above are absolutely essential – there are an abundance of social networking sites out there, equally good, though not all that well known. Some will be relevant to industry – like an intrepid explorer, hit Google and have a search. While we’re here, do have a look at Google + – it’s definitely one hell of an innovative platform to converse online.

However, the advantages of connecting on Facebook, Twitter and LinkedIn are that they are all extremely popular, have a huge following – implying you can network much more efficiently through these channels – and they excel at what they do. So get liking, tweeting and linked in.

Through such digital networks we can create opportunities for real world interaction. Sign up to mailing lists and follow key initiatives like RANT. In doing so, you open up doors for all sorts of instances where you can meet peers, learn off one another and create opportunities to progress in one’s career. You’ll also be abreast of the latest happenings in the business, whether that’s new reports, blue sky thinking or upcoming conferences discussing the future.

It’s all about fostering a collaborative – and indeed open – environment. As security professionals working in a digital age, we have to be at the forefront of technological innovation, forward-thinking and keeping an ear to the ground. Don’t get left behind.

Be the muscle for the digital age

Neelie Kroes, European commissioner for digital agenda, said in a speech recently to the European Parliament Committee on Industry, Research and Energy that her ambition is to “reinforce” the European Network and Information Security Agency (Enisa) as the world moves to even greater connectivity. Globalisation in a trade sense of the word was step one of two of making the world a smaller place. The digital age is step two. To add a bit of magniloquence to the blog, the revolution to bring humanity together is on the precipice of being achieved. World peace will be the final chapter to that story.

Anyways, that’s a digression. Ms Kroes outlined two ways in which this can be achieved.

“First, ENISA must be able to attract and to retain the very best IT security experts in Europe. Second, ENISA staff and stakeholders must have the best conditions for networking. This is essential for the Agency to carry out its mission successfully,” she told colleagues in Brussels.

What her comments highlight is the simple fact that this is an important age for professionals operating in governance & compliance and the information security & risk management industries and all affiliated sectors. What she wants is for robust defence mechanisms to be in place by 2015, which experts like yourself can help make a reality. The European Commission wants digital security to be more “muscular”, language which suggests a move towards being more proactive – swift and thorough reactive approaches are brilliant, but preventative is always preferable to damage limitation.

Interestingly, in her speech Ms Kroes suggested that powerful countries like those in the eurozone, China and, of course, the United States would benefit from working with, cooperating and up-skilling so-called “third” countries – by which we deduce she meant third world/emerging countries.

The truth is, in order to minimise their chances from being caught, punished and reprimanded by the authorities, cyber criminals attempt to lose themselves in a digital and physical maze within these respective countries. Cross-collaboration, the sharing of information and a genuine multi-disciplinary approach has positive outcomes for all stakeholders.

This has already been touched upon in the idea of Pefias – a pan-European framework for electronic information, identification, authentication and signature. Can you contribute to this? What ideas do you have? One place to share your thoughts and ideas is at our monthly RANT event. Be part of the conversation. Be the change Ms Kroes is looking for.

Innovative protection for Android devices

Things move apace and before you know it you’re living and working as an information security & risk management professional in a city from a futuristic Hollywood movie. The kind where you work with documents virtually, scanning them in the open air with your fingers. The kind where everything is voice activated. The kind of world where face recognition technology unlocks doors, cabinets and vaults – digitally and real.

That world, so to speak, is now, or at least we’re on the periphery of a new digital age as imagined many years ago by thinkers, futurologists and philosophers.

In terms of protection, on Android devices specifically, we’re already somewhere exciting. As we discussed in a previous post, the threats to Android smartphones are very real, and threats to cyber security are an ongoing risk which must be met with innovative ideas.

Take for example Google’s new ‘face unlock’ feature on the latest Android devices packing Ice Cream Sandwich (4.0), a self explanatory phone locking system which fundamentally does away with pin numbers and replaces it with the owners face. While it is still in its infancy, it is a system which is yet to be fooled – photos of the owner return a negative response.

Unless you are inclined to get the lasest Nexus however, you won’t yet be privileged to ICS and such features. In the meantime then, let’s discuss what security measures are out there right now.

One of the most interesting developments is using GPS to track a stolen smartphone and not only remotely trace it, but allow for important and sensitive data to be wiped. Consider the free app Remote Phone Lock&Track, which allows you to do a range of things including wiping all internal memory, memory from an SD card and help locate it. HTC have built a similar function in to their Sense overlay.

Another free app is the LBE Privacy Guard (root required), which helps negate the weaknesses that come with an open source platform. It works in a similar vein to an interactive firewall, whereby every app you install is thoroughly scanned and then listed by the number and types of permissions it requests – thereby giving you the power to block those which are unnecessary.

Encryption – a powerful word in information security, forensics and governance. One such platform is WhisperCore, which basically encrypts all the data on your device, so should it go missing you can rest assured that your data is safe. And because WhisperCore integrates with Flashback, you can send your data to the cloud – encrypted.

As with the levels and amounts of threats out there, this is only a brief introduction to the kinds of security measures available to everyone and every business operating off smartphones that come with Android as its operating software. It’s an exciting new age for anyone involved in technology. For every malicious piece of software out there, there’s an equally stringent defence mechanism to counter it.

The battle lines are drawn.

Read more about LBE Privacy Guard and Android security in general in the Acumin white paper: http://www.acumin.co.uk/cm/content/resources/white_papers

Threats Facing Android

In a very recent article on PC World’s website, Eric Geier wrote that 2012 will see a rise in information security threats, aided, in part, by the ubiquity of mobile devices – smartphones, tablets and laptops for example – as well as the growing and sustainable popularity of social networks. Cybercrime is going to become a very pressing issue indeed.

Moreover, a new study by McAfee, suggests that Android is now the number one attacked mobile platform out there.

With that in mind, we thought we’d give some of you professionals working in forensics, governance and compliance, and information security and risk management a lowdown as to some of the major threats – and vulnerabilities – facing devices using Android.

Third party applications are one of the best things about using Android – the open source nature of it allows for widespread innovation and development, providing consumers and businesses alike with a huge variety of choices. Naturally, established names imply a certain level of tacit trust – you’re confident that you’re getting a reliable product – whereas unfamiliar names bring a level of uncertainty – you’ve got nothing to weigh it up against. Because the open source environment is defined by the sheer volume of developers and products out there, it can be a tough maze to navigate through.

Similarly, Google’s own casual mantra, their guiding company philosophy of openness and close collaboration, though commendable brings certain, obvious weaknesses that is, in comparison to say Apple, a major shortfall. Take for example the verification process for applicants wanting to enter the Android market – in the last two years a number of apps, approved and available to users, have come with malware-infections. This is a major area that needs addressing.

Other things to be wary of include privacy settings. Though we may live in an age of ‘over-candidness’, where people reveal odd little titbits on sites like Facebook and Twitter, privacy is still a right worth protecting. However, in some cases, there are transparent weaknesses already built into certain devices. HTC devices, for example, automatically geo-tag photos and Tweets – you actively have to disable this feature. Consequently, other devices alleging localised services could, rather worryingly, sneakily utilise GPS permissions for location tracking. And of course there is the much publicised data collection and exposure on the company’s Sensation and Evo range.

One of the biggest risks is the easy access to a virtual private network (VPN), which many businesses and employees use remotely, providing an easy mobile working environment. Which is great for increased connectivity and in promoting flexible working, but also a route for cybercriminals to infiltrate corporate networks surreptitiously and either introduce corrupt software or thieve important data.

The threats are very real but there are measures in place to help protect Android uses. We’ll be discussing that in our next post. In the meantime for further reading check out the Acumin white paper on Android security: http://www.acumin.co.uk/cm/content/resources/white_papers

Open source Android a target for cyber criminals

The smartphone revolution was always inevitable if we considered Moore’s law as indisputable fact. To abridge a very fascinating and somewhat complicated branch of philosophy coupled with technological discourse, Moore’s law relates to the idea put forward in 1965 by Gordon Moore, Intel co-founder, that the number of transistors on a chip would double every 24 months.

Simply put, this would result in technological devices being smaller, more intelligent and powerful than their predecessors. So far so good, this could be a near-enough description of how things have panned out nearly 50 years on from that now prescient statement.

With smartphones coming to dominate the lives of everyone from bankers, to social networkers to information security and risk management professionals, these devices, like their cumbersome ancestors, are vulnerable to – or at least victim to – cyber security breaches.

Google’s Android operating system, which is at the forefront of the smartphone market – it’s available on a wide range of devices at competitive prices – is one which is being most visibly targeted. At any given time there are 40,000 infected devices across the globe, which goes some way to show how serious the problem is for Google.

It comes with the territory – Google, though famous for its adage “don’t be evil”, has grown into a huge multinational corporation with a massively diverse portfolio of operations. Many of which are free, many of which are predicated on the idea of collaboration. This is especially the case with Android, which is based on an open source philosophy – which allows people the freedom to modify, change and improve existing programs.

Which leaves it naturally vulnerable to those seeking to use it for far less noble goals – rootkits, Trojans, botnets, you name it; all of this is able to, in some way, immerse itself into the Android operating system. An apt description of this is the commercialisation of mobile malware, meaning smartphones are now prey to malicious and manipulative rogue software like SpyEye.

That’s just a brief introduction to the current state of play in the growing prevalence of cyber security in mobile devices. In the last year alone, 20 per cent of cyber crime in the United Arab Emirates occurred on mobile devices.

With smartphones fast becoming a part of everyday business, adopting risk management procedures to counter this is going to be an important part of the daily rigmarole.

In our next blog, we’ll look at some of the major threats and vulnerabilities on Android devices.

Download the Acumin white paper on Android Security from here: http://www.acumin.co.uk/cm/content/resources/white_papers

What are you and your organisation doing about Android security?

At the RANT Forum (Acumin’s monthly information security networking event), attendees often complain that they are playing catch up to cybercriminals. It is the bad guys that define the market, they are at the cutting edge as they try and find vulnerabilities, attack vectors, and exploits that will allow them to break in to a network. It is difficult enough for the CISO and Info Sec Manager to ensure that they are recognising and mitigating the appropriate risks, let alone trying to factor in emerging threats such as zero days and second guess the nature of the next generation of hack attempts.

This idea of playing catch up in IT security also extends in to new technology areas, the corporate line often requires some maturity before implementation of new products. This has not necessarily been the case with smartphones. By smartphones I refer here not to the old school PDA-type devices we enjoyed at the turn of the millennium – my guilty pleasure on that one is here! Rather I mean the combatting trinity of iPhone, Android, and Blackberry… sorry WinMo7, you are underappreciated indeed!

There must be few technologies that have been so rapidly integrated in to corporate environment, let alone being driven by users. Early adopters usually spend hours going blue in the face trying to explain why gadgets like the Psion Series 3 are the ‘next big thing’, with the emergence of shiny and gimmicky apps, the ‘Wow factor’ of the modern smartphone has spread like wildfire (not the HTC Wildfire, which would spread slowly due to an underclocked and underspec’d CPU!).

So, when the CEO (or his/her designated errand runner) knocks on the door of the info sec team, it is a brave IT Security Manager who will cautiously lean out from behind the firewall cluster and inform them that the proper security controls haven’t been developed and implemented yet to let the boss’ new toy run riot on the network. So what do you do?

We find the information security industry, both in terms of vendors and internal security, looking to develop protective measures for what is essentially a pocket computer (a proper one with RAM and CPU to match the claim, as opposed to this.) With such rapid technical innovation in terms of hardware and software it is difficult to keep abreast of emerging threats and how to counteract them.

Android here probably stands as more of a challenge than the iPhone here – its users are typically more technical and are allowed greater freedom by the OS to chop and change. This means that control becomes difficult, especially with the wide number of devices and various incarnations of the operating system. The iPhone with its proprietary nature is an easier beast to tame. So if you’re looking to find out more about the threat landscape on Android, as well as some of the potential vulnerabilities and counter actions you can take as both a personal and business user, take a look at the Acumin white paper on Android Security.

– Ryan Farmer

rfarmer@acumin.co.uk

How easy is it for us to find your CV?

Search for advice on writing a CV and one of the first things you will read is that it should be no more than two pages long.  The last thing a hiring manager wants to do is read through reams of paper detailing your every project and anything else you’ve ever done or thought about doing in your life; brevity is encouraged, you must engage your reader to keep their attention.

Much of this advice is good. CVs should be succinct, on-topic, and objective. Follow the old mantras about CV writing down to the line though and you are left with a document that will look pretty uploaded on your favourite job boards, but will often see you overlooked for roles for which you are perfectly suitable. A CV is no longer a record of your most worthwhile achievements; it is now a digital resource, a way of indexing your experience.

Ask most jobseekers what they do with their CV once they have finished writing it, and I doubt many will tell you that they print it off, read the advertising section of the newspaper, and then start sending out copies in the post. Typically you will upload it to your favourite job board or send it across to a trusted recruiter. That’s the hard part done, you’ve ‘got yourself out there’, now it’s just a waiting game until the right role comes along, right?

Wrong. Too many candidates fail to consider how life is on the other side of the fence, how we engage with their CVs. This is particularly true when recruiting information security and risk management professionals, who can have very niche skills and responsibilities. So here it is…

Whether it be sat on Monster.co.uk or a recruitment database, it is important to consider how it is accessed. I can tell you that if I know you as a information security candidate, I might search for you by name, but otherwise your suitability for the roles I am working on depends completely on your CV’s ability to match my search. Any recruiter with a little training will understand Boolean search strings, and now in order to ensure you are considered for the most relevant jobs, candidates must too.

CV writing should now be seen as SEO. Consider the meta keywords that will bring you up in the searches for the roles you’re interested in and consider the search hits that will display your profile above your competition. It’s also important to understand the value of your skills, too often I learn about a candidate’s experience with an in-demand technology only when I have invested the time to speak to them.  All recruiters know those calls when a candidate will phone in and enquire as to why they haven’t been contacted about a role for which they believe they are perfect, considering the above, the reason for this becomes quickly apparent.

CVs aren’t telling us enough.  For example, a candidate might simply mention ‘security monitoring’ in one of their roles, when actually they have good knowledge of IDS, IPS, and SIEM systems – which are highly sought at the moment as they tick a few of the required boxes for PCI compliance. Or what about the information risk hot topic of the day, application security, expertise in this area can see some candidates command impressive increases in their salary. Whilst ‘application security expert A’ gets his pay rise, ‘expert B’ is failing to get interviews. I bet you know by now which candidate has written their CV with search terms in mind, who has discussed their experience in a way that makes it clear what they have been doing, and who details their specialisation most effectively.

Ultimately, your hiring manager or recruiter only knows what you tell them, and your CV is your primary form of communication. Your job search may end up a success but think about the exciting opportunities you might have missed out on due to an inability to consider what happens to your CV once it leaves your hard drive. Whilst a strong understanding of the market is going to help, overcoming this is relatively easy – technical skill profiles or project overviews are certainly one way to progress yourself up the search results, particularly in product heavy roles such as IT security engineering. For some, particularly technical security contractors, you might consider writing a version of your CV that is considerably longer than you would normally like, with a simple disclaimer that it is a keyword-optimised document. Another useful measure to take when uploading your CV to a job board is to utilise ‘personal summary’ or ‘about me’ sections to search optimise your profile.

It’s time to stop thinking about how your CV looks, but rather how people will find it.

– Ryan Farmer

rfarmer@acumin.co.uk