A Look Back…

The subtitle of my blog is “Finding the balance between access and security.”  What I attempted to do with my blog was to look at information security issues.  Cybersecurity professionals are always trying to find the right mix between making something secure enough and at the same time, accessible.  In this process, there are always compromises. Most of the time, the right place to be is close to the middle.  But some things don’t have a clear, generally agreed on solution.

In many of the posts, the issues are pretty straightforward and I took a strong position on one side of the issue.  For example, I really think WikiLeaks founder, Julian Assange was completely wrong to post a malware program on his website instead of giving it to security professionals who could work on a defense against the software (17 September).  In other posts, I stayed firmly in the middle.  In my post about ethical hackers being paid to find security flaws in software (1 September), I stated they provide a valuable service so we can defend against unethical hackers.

I encountered the topics for my blog in the radio programs I listen to and the blogs I subscribe to at work.  It didn’t seem difficult to find topics to write about. Most of the sources were IT tech blogs and they simply caught my attention.  I subscribe to about 8 weekly blogs on a variety of topics.  Most weeks I don’t read all of them.

Since I was generally commenting on someone else’s blog post, I feel that I wasn’t really adding anything new.  If I wasn’t required to blog for this class, I would comment on the blog with my opinion. Still, it was an enjoyable experience.   It’s a lot more fun to write about something I feel strongly about.  Doing so in a blog makes me think it through and organize my thoughts better.  On at least one occasion, I actually changed my opinion before I was done writing.  

Criminals Get Caught by Weak Security

Apparently, criminals need to be more concerned about security, too!  US and European law enforcement agencies recently took down 400 illegal websites, arrested 17 people and confiscated drugs, money and computer equipment.  The websites were all using Tor, a web anonymity application that is used for accessing the "dark web"-- webpages that are not indexed by normal web browsers like Google or Bing.  Because the websites aren't easily accessible, they are popular with people who want to circumvent laws.  This includes political activists.  It also includes people who sell child porn, stolen credit card information, illegal drugs and weapons.

Tor is a browser on the surface, but it has a suite of applications that work with it to anonymize the path the data takes, add layers of encryption and hide the identity of the sender.  The user can access the dark web using Tor, but it isn't secure unless you configure and activate the additional applications.  Adding additional security such as adding more hops or additional layers of encryption slows down the data transfer.  Apparently, some criminals got complacent or impatient.

The specifics of how the criminals were caught isn't explained in the blog post, but my best guess is they cut corners with their security.  In this case, it worked out for the forces of good!



Nieva, R. (2014, November 7). Police skirt Tor anonymity software in shutting down illegal websites - CNET [Web log post]. Retrieved from http://www.cnet.com/news/authorities-skirt-tor-anonymity-software-in-shutting-down-illegal-websites/

/

Microsoft Gets a Little More Secure

I remember the early days of Microsoft Windows.  It was designed as a stand-alone operating system.  This made sense since the only way to connect to the Internet was through a modem and a phone line.  Dialup Internet access was expensive, too, so most didn't have access at first. As technology improved, security on a Windows PC didn't keep up.  We had to buy aftermarket anti-virus and malware software.  Just six years ago, Microsoft began offering free anti-virus software called Security Essentials for download on any Windows PC.  They're going to include more security features in Windows 10, the next generation of Windows scheduled for release in 2015.

According to Ed Bott of ZDNet, Windows 10 will be able to have 2 factor authentication built in, requiring a PIN or biometric, greatly reducing the threat of identity theft. The second factor will be the device - a tablet, laptop or PC.  It looks like this could be used for purchases with a cell phone and a PIN or fingerprint complete the transaction.  These features will also be available on enterprise computers as well, improving corporate security.  It looks like this will make bring-your-own-device secure enough to satisfy enterprise security professionals

Details will be coming as time goes by, but it's great to see Microsoft getting more serious about security.



Bott, E. (2014, October 22). Microsoft reveals audacious plans to tighten security with Windows 10.  Retreived from ZDNet; http://www.zdnet.com/microsoft-reveals-audacious-plans-to-tighten-security-with-windows-10-7000034963/?s_cid=e539&ttag=e539&ftag=TRE17cfd61

NIST Provides a Balanced Approach to the Cloud

The Federal government has just published it's first guidance on how to design and manage cloud computing.  They provide 10 requirements for cloud initiatives.  It's a well balanced document that looks at security as well as protections for the cloud service providers and the businesses who use them.  The guidance covers categories of accessibility, interoperability, performance, portability, and security technology.

The requirements push for setting the standards high for security and clear and consistent guidance in developing service agreements, good quality metrics and reliability.  In reality, this is just the guidance that provides the roadmap for where cloud computing should be implemented from the viewpoint of the federal government.  NIST is an agency of the Department of Commerce, so they are focused on both business interests as well as protecting businesses.  There are at least 3 more publications to be written and revisions of existing governance in the works.

NIST seems to be one government agency that is actually helpful.

McKendrick, J. (2014, October 25). NIST puts a sharper point on cloud computing | ZDNet [Web log post]. Retrieved from http://www.zdnet.com/nist-puts-a-sharper-point-on-cloud-computing-7000034990/

National Institute of Standards and Technology. (2014). US Government Cloud Computing Technology Roadmap Volume I: High-Priority Requirements to Further USG Agency Cloud Computing Adoption. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-293.pdf

Finally! A Secure SmartPhone!

The worlds first smartphone designed with security in mind was released in June this year.  The maker, SGP Technologies, states the phone is "Secure by design".  As a smartphone it has all the same basic features any user would expect, 3G GPS, Bluetooth, Wifi 802.11 b/g/n, a camera  and lots of sensors.  But where it really sets itself apart from the rest of the market is the security features.

 At the heart of the phone is the modified Android version 4.4 called PrivateOS.  Unlike the standard Android, all Google services are removed and standard applications like email, browser and cloud storage are generic (not Gmail, Chrome or Dropbox) so they don't have services gathering data on the user.  Other security features have been added such as encryption and a VPN client as well as a suite of security apps from Silent Circle, creator of Android and Apple security apps such as Silent Phone, Silent Text and Silent Contacts.  These apps encrypt the stored data and transmit securely.  Other features are remote wipe and full disk encryption.

The best feature is the Security Center.  After installing any new applications, the services that you have to allow to set them up can be disabled individually.  For example for a mapping application you can disable access to your address book and phone ID, but keep location services running.

The cost of all this security is that the phone doesn't come with an App Store.  This is because the app stores themselves are insecure.  Installing any additional apps will make the phone less secure.One other problem is that the phone doesn't have any malware protection installed.

All in all, it's great to have a secure Android smartphone on the market.  The benefit of security comes at the cost of convenience that all those insecure apps bring.  Maybe we will be able to keep our privacy and still enjoy the convenience of always being connected someday.  We just got closer!



Malenkovich, S. (2014, October 22). Blackphone review: is a secure smartphone possible? [Weblog post]. Retrieved from Kapersky Lab Daily Blog website:  http://blog.kaspersky.com/blackphone-review/

SGP Technologies.  (2014).  Blackphone.  https://www.blackphone.ch/

Humans are the Weakest Link in Security

IBM has just released its 2014 Cyber Security Intelligence Index.  Much of the information presented seemed like the same old news.  Humans intentionally instigated 95% of the attacks and that's not really surprising.  Computers don't hate us and have no reason to steal personal information, trade secrets or credit card numbers.  What I found surprising is that social engineering is still a preferred method for these malicious attacks.  Ohlhorst points out the engineering is getting more targeted;

IBM correctly identifies how social networking has impacted IT security and makes the point "Rather than seeing a particular enterprise as a single entity, attackers now also look at an enterprise as collections of individuals. That means they decide to target specific people instead of enterprise infrastructures or applications. In other words, the personal lives and business activities of employees can be leveraged to target an enterprise."

IBM says the average security breach costs the company $3.5 million.  If 5% of the employees at your company are the inadvertent actors they target, are they trained to see social engineering methods? My employer has about 2000 people working in my building, so that means 100 of them are likely to provide the access an attacker wants. Is it worth the time and effort for companies to take this threat seriously and train employees more thoroughly?


Ohlhorst, F. (2014, October 8). IBM says most security breaches are due to human error.  Retrieved from TechRepublic website:  http://www.techrepublic.com/article/ibm-says-most-security-breaches-are-eue-to-human-error.

IBM. (2014).  2014 Cyber Security Intelligence Index.  http://www-935.ibm.com/services/us/en/it-services/security-services/2014-cyber-security-intelligence-index-infographic/

Microsoft needs to Stop Trying to Do Everything

The latest test results of independent antivirus test lab AV-Test Institute were released recently and Microsoft System Center Endpoint Protection, the Corporate version, came in dead last.  The Home version, Microsoft Security Essentials, also performed poorly.

 AV-Test Institute reported on 33 antivirus applications, 9 corporate applications and 24 home applications.  They have a very comprehensive testing process that uses 150- to 200 current real-world threats.  They evaluate the software for the following categories;

 Protection - effectiveness against virus and malware threats

 Performance – impact of the software on the performance of the computer

Usability – detection of false positives

Microsoft’s corporate version only detected 74% of the real-world virus and malware threats compared to the industry average of 96%. The home version did slightly better.   The software performed well in the other two categories.  All other vendors performance was rated 96% or better.  Microsoft needs to go back to doing what they do best – Application software for servers and PC’s.  Antivirus software is specialized and it’s apparent they don’t do it well. 

Kassner, M. (2014, October 6). Microsoft scores poorly in latest virus protection test for Windows 7 - TechRepublic [Web log post]. Retrieved from http://www.techrepublic.com/article/microsoft-scores-poorly-in-latest-virus-protection-test-for-windows-7.