Here are a few articles I found interesting this week, after sifting though all the April Fools debauchery:

DoD Inspector General Calls Out Army CIO For Poor Mobile Device Security

“The CIO of the U.S. Army failed to put in place a comprehensive security program capable of protecting data stored on commercial mobile devices such as iPhones and Androids, leaving sensitive information in key Army installations exposed. The Inspector General of the Department of Defense took the Army CIO to task in a new report, saying that the CIO "did not implement an effective cybersecurity program for [commercial mobile devices]".” Here is an example of where mobile devices, “Bring Your Own Device” (BYOD), and a lack of keeping policies up to date with the rapid uptake of new technologies increases risk to an organization- in this case, the United States Army. Even more worrying is that the devices may have connected to sensitive networks that contained protected government sensitive data, not simply a corporate network with proprietary commercial information. Risks of exposure of that data included the data being stored on the device and removed from the facility where it would be easier to obtain, unapproved devices that were not appropriately hardened connecting to the network and exposing information, and the unapproved personal devices carrying external threats, such as malware, into these protected networks- bypassing border security and authorization controls. When paired with another recent article, Break Out a Hammer: You’ll Never Believe the Data ‘Wiped’ Smartphones Store, the threat really starts to take shape. It’s also disheartening because there are other governmental organizations, including the NSA, that publish guidelines publically on how to secure devices and infrastructure. Interestingly enough, on the other side of the fence, authorities are claiming that the latest communication technologies used by citizens is too secure, and are struggling to reestablish “wiretapping” capabilities for lawful intercept during surveillance operations. So, here we have ordinary civilian users that are “invisible” to the government, and yet there are still entities within the government that can’t adequately protect their communications and data.

Are Hackers Heroes?

“"Hacker" is one of the most loaded Internet words getting thrown around these days. To many (hi cable news), the label is inherently malicious, and goes hand in hand with threats to blow up the interwebs. Others who self-identify as such, will never ever stop whining about how it means just the opposite. But are hackers of either flavor heroes? Can they be?” This article and accompanying video attempts to show how the same term can describe two very different ethos when it comes to using technology in modern society. This issue has been present for decades, and haunts even those in the sidelines. We purposefully avoid the moniker “hacker” in our education materials, due to the connotations it can carry with it in different audiences experiencing the same information. The article even hints of hope for a time where the good guy “whitehat” hacker and the morally questionable “blackhat” hacker aren’t thrown under the same umbrella. However, one thing to note would be that when calling out the difference between the two ethos, including a clip that has wireless access point credentials written on a white board in the background is probably a bad idea. Taking the discussion further, the topic turns to either being a form of heroism. The blackhats pushing for potentially needed social changes through technological and possibly law-breaking means, while the whitehats foster the “maker culture” to create innovative solutions to problems faced by society. I think that in certain cases there can be merit to these ideas, but as Alfred in The Dark Knight so eloquently stated: “Some men just want to watch the world burn.”

Spammers use Google Translate to Bypass Filters

“Clever spammers have come up with a way to bypass email filters in order to send Pharma-themed junk messages. The process is done in stages, using a legitimate URL shortener, Google’s translation services, and compromised domains.” This is a great reminder that the battle field is always changing, the threats evolving, and features in a system turned on their head and used as weaknesses. In a nod to the article above, the most creative minds can come up with interesting and novel solutions to “problems”- even when they arguably don’t need to be, or even shouldn’t be solved in the first place. More proof of this phenomenon is in this excellent article about new avenues for old scams, and the endless escalation between the attacker and the defender. Given an obstacle with a tangible goal resting on the other side, and attacker needs only to find a single path to their goal and the defenders must mitigate all of them.

Hackers Attack Activists Through Their Androids. Is Apple Next?

“Kaspersky Labs reports that the first malware to specifically target Google’s Android mobile operating system has been discovered.” There are many variables contributing to the malware trends affecting technology, including mobile devices and mainstream computing platforms. I think it’s complex and a difficult prospect to predict where it will go next. Android devices have some strengths, including that they are becoming more popular which may help cull out vulnerabilities through use and abuse. Though some weaknesses include fragmentation of the platform, meaning that the same vulnerability may or may not exist on devices from different vendors, or even that a universal Android issue may be solved differently (or not at all!) by different vendors. The old adage from a few years ago about the Windows monoculture over Apple products led many to believe that Microsoft appearing as the more popular target due to more fruitful efforts may play a role in the targeting of devices. Also in play- I think- is the openness of the Android ecosystem compared to the “walled garden” approach Apple takes. I like freedom of choice, but Apple’s locked down ecosystem may help mitigate risk- whether or not the devices are vulnerable to attack.

Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.

Posts by Topic