Friday 6 November 2009, 4:14 PM
Motorola Droid Drops Today: Happy Droid Day America!
Motorola Droid Drops Today: Happy Droid Day America!
Author: Eric Everson, Mobile Security Expert
If you’re wondering what all of the buzz is about with words like Droid and Android 2.0 circling about, you might think for a moment that there is a new George Lucas film that hit theaters. To the contrary, Motorola’s much anticipated Droid handset hits Verizon Wireless stores today in America. This is a hallmark handset that comes equipped with Google’s Android 2.0 MOPS (Mobile Operating System) and offers what some believe to be Verizon’s answer to the iPhone.
As the official Droid release email from Verizon promotes, “The phone that makes you feel like a four star general with natural charisma, twelve arms and the power of mind control is here and is ready to serve.” Okay so, they might be overselling it a little bit, but this Droid handset certainly pushes the competitive landscape forward within the mobile industry. Having taken some time to tinker with the handset, the quality that stands out the most in comparison to the iPhone is its ability to handle apps (applications). If you’re used to the lag of opening apps on your iPhone, the Droid will feel like a supersonic blast of Star Wars-like hyper-drive in your palm!
Also notable is the 5MP (mega pixel) camera feature which pushes the idea of the camera phone into new territory. While it might not compare to the rumored 12MP Nokia camera phone that is secretly said to be in development, you’ll certainly notice a difference in picture quality compared to the 3.2MP camera of the iPhone. The Droid has the look and also pushes handset design forward with such features as a touchscreen plus QWERTY slider keyboard to the next level. The Droid also comes out of the box with built-in access to Amazon’s MP3 store.
Compared to the thriving Apple App Store and iTunes platform, the novelty of an Android App Store seemingly falls flat, but in all fairness the Android community is still very young. As third-party mobile content developers continue to see opportunities to embrace this new market, they will likewise be motivated to develop more apps. I see a great opportunity here for Google to flex its creative muscle to answer the competitive advantage that the iPhone already has in place.
As your resident mobile security expert, I would be amiss not to acknowledge the undertone of growing security concerns regarding the Android 2.0 MOPS. Are there mobile security vulnerabilities to come? Of course, but as I’ve noted in the past, nobody in the MOPS industry addresses vulnerabilities as well as the Google team. As we uncover new vulnerabilities throughout the MOPS landscape, the Google team is consistently the fastest and most efficient to respond.
If you’re in the market for a new handset or you’re one of many Verizon customers that has been waiting patiently for a smartphone of this caliber to come along, I say to you Happy Droid Day! May the force be with you!
-Eric Everson “The MobileTech”
Eric Everson is a leader in mobile technologies and is the founder of MyMobiSafe.com. If you would like to contact Eric Everson for interview or with consulting related inquiries contact him directly at EricEverson@Hotmail.com
Tuesday 3 November 2009, 6:15 PM
Mobile Security Profile: BlackBerry Storm2
Mobile Security Profile: BlackBerry Storm2
Author: Eric Everson
BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data, the BlackBerry handsets are seemingly everywhere you look around the office. Most recently BlackBerry introduced the Storm2, a second generation touchscreen handset into the market. As the resident mobile security guru, I wanted to take a deeper look at this handset to gauge its real mobile security profile in the corporate environment.
As mobile handsets have become ubiquitous within the business environment, significant levels of proprietary business data has migrated from the security of the computer-based environment into the vulnerable setting of the mobile handset. Simply put, mobile devices have become the weakest link in enterprise security, which is something that the BlackBerry Storm2 does little to address. In fact, the security specifications detailed at BlackBerry.com for the Storm 2 merely include two features: Password protection and Screen lock.
Like every BlackBerry the Storm2 should come with a barebones version of The BlackBerry Enterprise Solution. The BlackBerry Enterprise Solution is a platform that can be purchased “with corporate data security in mind.” (BlackBerry.com; 2009) Essentially this is a security software offering that allows businesses to decide how much mobile security they are willing to pay for rather than a one size fits all security platform. There are pros and cons to this model, but it does allow a tailored approach for enterprise mobile security which many IT professionals enjoy.
If you are looking for a hacker-proof handset, the Storm 2 is built on the BlackBerry OS 5.0 MOPS (Mobile Operating System), which introduces the vulnerability that JavaScript has been enabled by default in the Internet browser. While no direct threat has been identified that exploits this feature, it is a prospective area of concern. From the standpoint of a standard (non-enterprise) user the security features of the Storm 2 will likely be sufficient.
If you’re simply looking for a new handset, many of the business/enterprise users of BlackBerry handsets will likely not find the Storm 2 as an adequate replacement for a handset such as the BlackBerry Tour. Some users have already reported less battery life than what is found on the Tour and many new users of the Storm 2 have complained that the audible clicks from using the touchscreen cannot be silenced. For anyone who “multitasks” on the BlackBerry while in meetings is sure to find the audible clicks as a serious annoyance.
Personally, I love the Storm 2 as a personal handset, but compared to the Tour (or other similar BlackBerry models), the Storm 2 is no enterprise handset. In short, Storm 2 is good for home but not so much for the office. On the bright side, the security profile of the Storm 2 can be tailored to fit the needs of the enterprise environment to the same degree as any other BlackBerry model.
Eric Everson is a leader in mobile technologies and is the founder of MyMobiSafe.com. If you would like to contact Eric Everson for interview or with consulting related inquiries contact him directly at EricEverson@Hotmail.com
Ref: http://na.blackberry.com/eng/devices/blackberrystorm/storm_specifications.jsp
Tuesday 3 November 2009, 5:35 PM
South Korea plans to fingerprint visitors
The South Korean authorities could fingerprint and photograph foreign visitors from 2012, the Korea Times reported on Tuesday.
Barring diplomats and government operatives, all visitors over the age of 17 could have their fingerprints scanned and photo taken, said the article.
The Korean Cabinet has approved the Bill, which will be voted on by the National Assembly this month.
Should the plans go ahead, Korea will discuss sharing the data with the US, which operates a similar system. Japan also collects visitors' biometrics.
Monday 2 November 2009, 8:30 AM
Adobe Reader in the Enterprise
This week I had the pleasure of working with some of the Microsoft Premier Field Engineers (PFE's) in an effort to further understand some of the application compatibility issues that might occur when sequencing for Microsoft App-V (formerly SoftGrid).
Quickly, the topic turned to compatibility issues surrounding Folder Redirection as this appeared to pose a serious compatibility problem for Adobe.
A quick scan of the web, raised a number of forum posting where numerous IT personnel could not get Acrobat or Reader 9 deployed to C# debugging and "file not found" issues.
For a few samples look here:
http://thinmaillist.blogspot.com/2008/08/thin-re-watch-out-with-adobe-acrobat_9472.html
http://www.adobeforums.com/webx/.59b5c03a
It looks like there were some pretty drastic solution paths explored here, especially for Citrix deployments. Yikes... I am really glad that I don't have to do this stuff anymore...
Before I dive too deep into the Adobe deployment problems, let's have a little introduction to Microsoft's Folder Redirection .
The idea of re-directing user local data folders onto the network was introduced with Windows XP and is defined as, "the automated re-routing of I/O (operations) from local standard folders to use a different, storage elsewhere on the network". Translated, this means that some standard user folders (i.e. My Pictures, My Documents) are redirected to store your files on a network server. This greatly increases the chances that your files (and Pictures) will get backed up in the laptop being nicked or knackered.
Windows Vista uses folder re-direction on the following directories; Contacts, Desktop, Documents, Downloads, Favorites, Music, Videos, Pictures, Searches, AppData, Links, Saved Games.
If your browser has a spell checker AppData would appear with a red underline, which is appropriate as the AppData folder is one which caused us and to my great surprise, Adobe quite a lot of trouble.
Through our trouble-shooting exercise it became Adobe Reader and Acrobat 9 were attempting to write user specific data to the AppData folder. This is fine and according to the Microsoft logo application development specifications, this is OK.
So, in an enterprise environment, a user will logon to their desktop or laptop and if their IT department has done their job, the AppData folder will be redirected to something like; \\servername\region\department\username\AppData
And, here is the big issue. As folder re-direction takes place prior to logon- the user will not have any mapped drives. So, the fully qualified path to the final resting place on the target server for AppData will be a UNC path.
Hint: It will be a UNC path.
As you can probably guess where I am going here;
Adobe Acrobat 9 and Adobe Reader can not store their AppData files onto a UNC path. After a little debugging through their code, it appears that there is a failure to "read from left to right" and correctly parse the full path.
Hence, the file not found, app crashes and C# debugger errors that present themselves to users upon application start-up.
So, I did little more digging and loading Flash and version 6,7 and 8 of Adobe Reader. All of these packages use the redirected folder "AppData" in the same way - and I am sure that they will experience the same issue.
I will write more on the Adobe issues in forthcoming posts. And, there will be plenty to write about as it looks like there are over 400 application level conflicts between Adobe Reader 9 and Acrobat 9.
References:
Folder Redirection has a brief mention here: http://en.wikipedia.org/wiki/Folder_redirection
Friday 30 October 2009, 6:19 PM
Now is the time to invest in security skills training
The recent PwC survey into the Global State of Information Security (http://news.zdnet.co.uk/security/0,1000000189,39809565,00.htm) is a timely reminder of the skills adjustment facing our industry. Despite maturing in its short 20-year history, disparate roles are emerging in the security profession: the traditional technical IT security requirement is decreasing while jobs with a managerial focus are increasing. Even the rise in specialist university education has tended to be technically focussed. Security people get passed over for management training and the recruitment process continues to be highly weighted toward the measurable technical skills.
The PWC Survey highlighted a clear lack of security management expertise that led to lack of records on where sensitive data was stored and lack of the bigger picture on security incidents. So why is it that hiring managers struggle to find people with the right skills? 80% in one of our surveys indicated that they are challenged to fill their roles, despite the current economic downturn creating a larger available workforce.
Advancements in technology and the online world have always been ahead of the related considerations for security, because people, IT and business leaders have yet to develop the skills to think securely. Tomorrow’s business leaders need to be able to instinctively strategise for secure business development.
The challenge of ensuring secure e-skills will be about far more than the information security workforce though; security should become part of the core curriculum across the entire education system, from primary schools to a broad set of university courses It’s interesting that the majority of computing-related courses do not adequately address security issues, yet we know that strategic decisions taken by IT, from the procurement and/or development of software to the adoption of cloud services, is having a huge impact on vulnerability levels when the security requirements are not built in at the outset.
Security should also be a core element of business education. Employee induction should include security with the systems training; and security responsibilities should be part of the employment contract.
John Colley, CISSP, Managing Director (ISC)2 EMEA
Friday 30 October 2009, 5:59 PM
Watch out, your metadata is showing
The Arizona supreme court has just decided that the metadata of a document is governed by the same rules as the document. If the metadata is attached to a public record, then the metadata too is a public record; so if, as a police officer disciplined after blowing the whistle on colleagues, you ask for your performance results then you should get metadata like who wrote them and when so you can prove whether they were written before or after you made yourself unpopular.
The original court viewed the metadata as a 'byproduct' and an 'electronic orphan' of the document, the supreme court said it was illogical to separate it - because if the date was written on a paper record you'd get to see it so why should it be hidden because it was added electronically. The case was complicated by the fact that Arizona law on public records doesn't actually define what a public record, and by the fact that America has two sets of laws (State and Federal) and while federal law says metadata has to be included with documents produced as evidence in a court case, public records in the US are governed by state law.
Up until now, metadata in public documents has been dug out by eagle-eyed investigators. They've revealed things like the fact that Google was behind an anonymous complaint to the Australian Competition & Consumer Commission about eBay only accepting PayPal payments in Australia and not Google Checkout; or that the farmers who asked congress to hold hearings on a Google-Yahoo deal handed in a letter written by lobbyists LawMedia in what looked like a tit-for-tat fight over net neutrality; or that the MPAA actually wrote an anti-piracy letter that the California attorney general put his name too - or closer to home, that the 'dodgy dossier' on WMDs was plagiarised from student essays by civil servants rather than compiled from real research by the security services.
Virus writers know this; it was Word metadata that convicted the writer of Melissa. Companies know this - or they ought to by now. If you're archiving email in a repository, it's crucial to store the original metadata for forensic purposes. If you’re storing documents in a repository, you need to store - and produce - metadata. The information in metadata is as important as the actual document and sometimes more so, says Craig Carpenter, VP general counsel at enterprise search experts Recommind. "“Without knowing when something happened, or who was involved, electronic evidence is often useless – thus, metadata is critical.
“Because of metadata’s critical nature, it is generally deemed to be part and parcel of the document it describes – if the document is relevant and must be divulged, then so must the metadata. To somewhat varying degrees, jurisdictions like the UK and US require that relevant evidence or information should be preserved and shared with the other side, for example in litigation, as it is needed to help the trier of fact, the judge or jury, determine the ultimate outcome of a matter."
"Metadata can certainly be the subject of disclosure orders in civil litigation," agreed UK lawyer Simon Bradshaw and pointed at this UK legal definition of a document which "also extends to additional information stored and associated with electronic documents known as metadata".
But that's for documents stored by companies. What about government and public bodies and the Freedom of Information Act? Do the principles of the Arizona ruling apply here? Carpenter thinks so; "While there is an absence of specific statutory coverage, this same theory generally holds true with FOIA-like situations – that is to say, that where it is not relevant metadata probably does not need to be divulged, but where it is potentially relevant, for example who sent certain email messages, to whom, when et cetera, it generally does need to be divulged."
There are tools for removing metadata from documents (Office has a built-in option). There are tools for preserving metadata; Adobe often works with the police and security forces to secure chains of evidence. Companies need to know how to use both options (and when to use which one) - and Arizona might be a timely reminder that so do public bodies.
-Mary
Friday 30 October 2009, 11:43 AM
Facebook checks where you're logging in from
Here's something I didn't know: Facebook keeps track of where you normally log in from, and uses this information to increase the security of your account. If you try to log in from an unusual location (for you), you're asked to provide extra information, such as your birth date.
This was discovered by Ed Parsons, Google's Geospatial Technologist on a recent business trip to Uganda.
This is the same method as credit card companies use to detect fraudulent use for cards, and it's not a bad idea.
Tuesday 27 October 2009, 5:48 PM
Google ABC’s… I Like
My company has been listed in Google’s auto-complete web services for a long time; if you type in “MyMobiS” you’ll see the auto-complete for my brand MyMobiSafe.com. For some of the most popular web searches however, they’ve penetrated the coveted Google ABC’s… which is when you type just one letter “A, B, C,…” their brand is the first to show in the auto-complete.
For fun, do a Google search and type in the letter A, what you’ll find to no surprise is “Amazon” as the first auto-complete suggestion.
What about the other brands that pop up? Here is a little list I made and some of the auto-complete brands might surprise you.
A=Amazon
B=Best Buy
C=Craigslist
D=Dictionary
E=Ebay
F=Facebook
G=Gmail
H=Hotmail
I=IMDB
J=Jet Blue
K=Kohls
L=Lowes
M=Mapquest
N=Netflix
O=Old Navy
P=Pandora
Q= Quotes
R=Realtor.com
S=Southwest Airlines
T=Target
U=USPS
V=Verizon Wireless
W=Walmart
X=XM Radio
Y=Youtube
Z=Zillow
While the Google auto-complete feature may make you question how some sites/searches take priority (as a fun example type “I like” into Google to see the funniest auto-complete priority around) the reality is that it means mega hits for the sites that make it into the priority. Interestingly enough, despite having spent tons of money in the beginning advertising with Google for MyMobiSafe.com, we didn’t seem to make it into the Google auto-complete directory until I had published a blog regarding an operational vulnerability within Google’s Android Mobile Operating System… go figure???
If you want to take a website global, the reality is that people need to be able to find it and that is exactly where Google fits into foreign market entry. Does your firm appear in Google’s auto-complete feature? Whether you’re a small business or a multinational, the reality is that if you don’t have an accessible website, you will struggle and likely suffocate as the business domain continues its digital expansion. Who will emerge as a titan of mobile search? Will Google struggle in this unique landscape of mobile search just as Microsoft has with their mobile operating system?
BTW…
I Like= i like to tape my thumbs to my hands to see what it would be like to be a dinosaur
Cheers,
Eric Everson - If technology is the wave of the future, then call Surfer Magazine because my board is waxed and I’m in the barrel!
Sunday 25 October 2009, 12:12 AM
Guardian UK Jobs site hacked, user data breached
The Guardian Jobs website has come under attack from a 'sophisticated and deliberate hack' that has exposed sensitive data, according to an email sent to affected users on Saturday.
The breach is related to data submitted by people who have applied for a job via the Guardian Jobs site. The intruders may have got access to the personal information in those applications, according to the email.
"We have been assured by our provider that the system is now secure and we have identified and contacted everyone who may have been affected," Guardian News and Media said in a web page about the breach.
The system supplier has identified the hack, and the e-crime unit at Scotland Yard is investigating, the Guardian said. The publisher said it found out about the break-in on Friday evening.
The Guardian, which said it is "treating this situation with the utmost seriousness," has not indicated what, if any, steps it will take to help affected users recover from the breach and protect them from the misuse of their personal data.
However, it has provided a list of police-endorsed steps that people can take as a precaution. These include consulting a credit reference agency such as Equifax to "resolve the situation and prevent it happening again," paying CIFAS to place a fraud alert on your credit file and visiting the banksafeonline.org.uk for information.
The Guardian has not provided a dedicated email address for users to contact them about the breach. Instead, it is urging people to visit its page about the breach.
"The fact that they allowed this to happen is one thing, and while I applaud thair openness in swiftly notifying those of us who might have been affected, the attitude that the problem is now entirely ours is outrageous," one affected user, who wished to remain anonymous, told ZDNet UK on Saturday.
Friday 23 October 2009, 1:05 PM
Natwest systems failure causes outage
Natwest's computer systems experienced problems that lead to service outages, according to reports by bloggers and Twitter users.
Dan Stuchbury, a developer who lives in Wiltshire, blogged on Friday that he had been told at his local Natwest branch that their computer systems had crashed.
Twitter user Gavin Quayle said that Natwest ATMs across London were also not working. Other Twitter users reported that RBS machines were also down (Natwest is owned by RBS).
A Natwest spokesperson told ZDNet UK on Friday that there had been an internal technical problem with Natwest's systems, and that no outside hack had caused the outage.
"There was a technical issue impacting some of our systems for a short period of time this morning," said Natwest in a statement. "We quickly identified and resolved the issue and we apologise for any inconvenience this may have caused our customers."
The outages lasted for approximately an hour, said the spokesperson.
While the issue affected all Natwest branches in the UK, no RBS bank machines had been affected, the spokesperson added.
Previous
