Here are a few articles I found interesting this week: Instagram Security Flaw on iOS “A security flaw has recently been uncovered in the Instagram iOS app which could allow a hacker full access to your account. The flaw comes in the authentication with the Instagram servers. Your account information is stored and transferred in an unencrypted cookie file. If you are on an unsecure network, a malicious individual could technically grab the cookie and have access to your account.” Snarky comments about iOS security aside, this issue is a perfect example of how lessons that should have been learned writing traditional web apps were ignored or forgotten when moving to the dazzling world of mobile app development. It wasn’t all that long ago, in 2010, that Firesheep was making headlines because of essentially- this same exact issue! The username and password were sent over an SSL encrypted connection, but the session token was subsequently sent in the clear, allowing anyone on the same unencrypted coffee shop network to piggyback on your Facebook session without knowing your password. Instagram is simply taking this same issue, 2 years later, and carrying it forward to the mobile platform. While it’s disappointing to see these types of issues come up, it’s not surprising. Every foray into the next big paradigm- be it web applications, AJAX, web services, and now mobile apps- seems to bring about amnesia surrounding previous “lessons learned”. John McAfee arrested in Guatemala for illegal entry “Software company founder John McAfee was arrested by police in Guatemala on Wednesday for entering the country illegally, hours after he said he would seek asylum in the Central American country… The 67-year-old went on the run from Belize last month after officials tried to question him about the fatal shooting of a neighbor. McAfee had engaged in a series of clashes with neighbors and authorities over allegations he kept aggressive dogs, illegal weapons and drug paraphernalia in his beachfront home on a Belize island. McAfee has denied any wrongdoing and said he was being persecuted for refusing to donate to local politicians.” To be honest, I’m not sure what to believe with this situation. Some governments are notoriously corrupt, requiring kickbacks to stay out of harms way. But then again, John McAfee is quite an eccentric guy. It seems like his blog postings on the lam (with a much younger, impressionable, and beautiful woman he rescued from poverty) could legitimately be an attempt to let the world know about the injustices that have befallen him. They could also be seen as a taunting tale of cat and mouse while he runs around in the tropics with a lady on his arm. The reality is we may never actually know which side of the fence either John McAfee or the Belize authorities are actually on, but I can’t help but hope that if he really is being persecuted, and he is an innocent party, that he manages to beat the odds. How software guru McAfee was located in Guatemala “The high-tech entrepreneur invited reporters from VICE.com to join him on the lam. The online magazine was interested in documenting McAfee's edgy lifestyle, which in recent years has revolved around drugs, sex and guns. To promote its exclusive access, VICE published a smartphone picture of McAfee with reporter Rocco Castoro. That was a big mistake. Digitally embedded in the photo was the location where it was taken, and it placed McAfee in Guatemala -- just across the border from Belize. Now the world knew where John McAfee was hiding.” Here again, we see an old trick used far past what should have been its expiration. It seems like years ago that sneaky Facebook and Twitter users were examining uploaded photos for the EXIF data that contained GPS coordinates and, in response, nearly every app and site started stripping out this data for you because of the PR nightmare. I double-check all my own settings any time there is an update to my mobile device’s OS to be sure I’m not leaking this data myself. Apparently now that sites, apps, and devices take care of this for us, there may be a younger and less in-tune group of technology users that didn’t know that. It’s one thing when GPS data leads to embarrassing situations, especially if the embarrassment is self-inflicted by posting to social media. But it’s quite another when it leads to the arrest of someone who is on the run and may or may not be a victim of persecution, and is at the hands of a young reporter eager to get an exclusive scoop. When in China, don't leave your laptop alone “You're traveling in China on business, and after checking into your hotel room you decide to grab a bite at a local restaurant. You're not planning to work, so you leave your laptop on the dresser, lock the door, and exit, feeling confident that your possessions are safe. An hour and half later you return and note that all your stuff, including the laptop, is just where you left it. Everything seems fine, and you go about your business, conducting meetings with potential clients over the next few days before returning home. But everything is not fine. While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer -- without your having a clue.” Having worked in the defense industry earlier in my career, this is nothing new to me. We were told explicitly about these types of threats when travelling out of the country and, even back then, China was high on the list. It also shouldn’t be surprising that the threat extends past national security and into private industry, as there have been several examples over the last decade of Chinese corporate espionage, both while Americans are travelling to China, and on American soil. Hardware and software are getting trickier, stealthier, and smarter all the time… so it’s no longer a complex technical feat requiring massive funding to pull off such an attack. With today’s plethora of mobile enabled devices featuring nearly full-fledged operating systems, this trend does seem like it will decline as it gets easier and easier to pull off. The fact that private industry must now call out and sound the alarm I think is a sign that for those who have been affected, it was a devastating and eye-opening event. But unfortunately, for every one of those events is a less tech-savvy business executive scoffing at the same story, thinking “that wouldn’t happen to me!”... Until it does. BYOD: Why Mobile Device Management Isn't Enough “Nine out of 10 technology pros think smartphones and tablets will become more important to business productivity in the next couple of years. Seventy-two percent expect to offer more bring-your-own-device options so that employees can access company data with their personal gadgets. But IT doesn't necessarily see mobile device management software as essential to coping with this proliferation of devices in the workplace… Even those companies that have implemented MDM need to make sure their technology and policies really deliver the data security and management efficiency they seek. All MDM software offers the same basic capabilities, such as data wipe and device inventory, so look for additional features that fit with how you use mobile devices. For example, is it a priority for your company to build an app store, or will it need to get hundreds of new people a month on new devices?” Mobile devices, the apps they run, and the data they carry can represent a significant risk to an organization. Whether that means data walking out the door with the device, or a device bringing malware behind the front lines, there are many lines that are blurred or out right crossed. I think the issue is gaining traction, and surprisingly it seems that there are some real potential solutions on the horizon. Recently Google announced that they are launching the “Private Channel”, which is a turnkey solution for an organization to create a private app store that controls what apps are available to their users. So now, an organization can deploy MDM for device security settings, and on top of that make sure that employees can’t download that awesome new game “Ninja Cat Slap”- that just so happens to be a Trojan application deployed by eastern European organizations with thick accents. I’m glad that attention is being paid to the app side of the house. Device security settings are of course part of a “balanced and nutritious” defense in depth strategy, but apps that can run inside the barbwire fences and toss your data over to their buddies on the outside seems a little ridiculous when you think about it. How the Eurograbber attack stole 36 million euros “Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process. The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan. Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach.” This is a scary chapter in the arms race between organizations bent on making easy money and the security community attempting to thwart them with strategies like two-factor authentication. As shown time and again over the past several decades, the new strategies work great in the beginning, especially for the early adopters (security, implementation, and deployment issues aside). However, once the remaining low hanging fruit have been plucked clean, the attention turns to the new technology in their way- and it’s only a matter of time. Security is a constant game of cat and mouse, and just like the classic duo from our yesteryear- Tom and Jerry- each side keeps outdoing the other and escalating their techniques and the collateral damage along the way. The only advantage that can be had is keeping people aware, especially on the tail ends where older folks may fall off the end because technology outpaces them, and new young folks move in that are eager to move up but don’t have the training or experience to anticipate the threat landscape ahead.
