Tag Archives: android

Manuela Arcuri

Monica Belluci and Security

Trends –  security and movie stars, Manuela Arcuri and  Monica Bellucci, Verisign and Mcafee.

Information security and  risk analysis is complex stuff, with multiple dimensions  of people, software, performance, management, technology, assets, threats, vulnerabilities and control relationships.  This is why it’s hard to sell security to organizations. But, information security is also a lot like fashion with cyclical hype and theater: today – , HIPAA, iOS and Android security,  yesterday – Sarbanes-Oxley, federated identity management, data loss protection and application security firewalls.

Back in 2007,  I thought we might a return to the Age of Reason, where rational risk management replaces blind compliance check lists – I thought that this could happen  for 2 reasons:

  1. Compliance projects  can have good business value, if you focus on improving the product and it’s delivery.
  2.  Security is like fashion – both are cyclical industries, the wheel can also turn around in the right direction.

HIPAA compliance is a minimum but not sufficient requirement for product and process improvement.

Healthcare companies and medical device vendors that do HIPAA compliance projects, may be paying a steep price for HIPAA compliance without necessarily getting a return on their investment by improving the core features and functionality of their products and service offerings.

Compliance driving improvements in products and services is good for business, not just a mantra from Mcafee.

It could happen, but then again, maybe not. Look at the trends. Taking a sample of articles published in 2011 on the  eSecurityPlanet Web site we see that  mobile devices and cloud services lead the list, followed by IT security with healthcare closing the top 15. I guess cost-effective compliance is a lot less interesting than Android security.

  1. iOS vs. Android Security: And the Winner Is?
  2. 5  iOS 5 Enterprise Security Considerations – You can’t keep Apple out of the enterprise anymore so it’s best to figure out the most secure way to embrace it, writes Dan Croft of Mission Critical Wireless.
  3. PlayBook Tops in Tablet Security – Recent price reductions may mean more Blackberry Playbook tablets entering your organization, but that may not be such a bad thing for IT security teams.
  4. Android Security Becoming an Issue – As the Android mobile platform gains market share, it also garners a lot of interest from cyber crooks as well as IT security vendors.
  5. Which Browser is the Most Secure? – The ‘most hostile’ one, say researchers at Accuvant Labs.
  6. How to Prevent Employees from Stealing Your Intellectual Property -It’s the employee with the sticky hands that is the easiest and cheapest to thwart.
  7. Security Spend Outpacing the Rest of IT – High profile breaches and mobile devices are driving IT security spending.
  8. Public Cloud Keys Too Easy to Find -If you put the keys to your cloud infrastructure in plain sight, don’t be surprised if you get hacked.
  9. Zeus (Still) Wants Your Wallet – The antivirus community has failed to figure out this able and persistent piece of malware. It’s as simple as that.
  10. Spear Phishing Quickly Coming of Age – Even the security giants are not immune from this sophisticated and growing form of attack, writes Jovi Bepinosa Umawing of GFI Software.
  11. Penetration Testing Shows Unlikely Vulnerabilities – Enterprises need to dig deeper than just automated scanning to find the really interesting and dangerous cyber security flaws.
  12. Bank Fraud Still Costing Plenty – Bank fraud is and will continue to be an expensive problem.
  13. Do IT Security Tools Really Make You Safer? – Yet another suite of tools for IT security folks to administer and manage can actually have the opposite effect.
  14. Siege Warfare in the Cyber Age – In one the unlikeliest turn of events brought about by technology, it looks like Middle Ages’ siege warfare may be making a comeback, writes Gunter Ollmann of Damballa.
  15. Healthcare Breaches Getting Costlier – And it’s not just dollars and cents that are on the line – reputations are on the line, writes Geoff Webb of Credant Technologies.
Tell your friends and colleagues about us. Thanks!
Share this

Mobile device security challenges

It has been said that there is nothing new under the sun and that every generation forgets or never learned the hard-earned lessons from the spilled blood of the previous generation.

Reviewing the security and compliance issues  of a new mobile medical device recently, I was struck by how familiar many of the themes are.

What makes mobile devices special? Actually nothing.

Deploying line of business or life science applications on mobile Android tablets or an iPad has a different set of security requirements than backing up your address book. It requires thinking about the software security and privacy vulnerabilities in a systematic way and using a rigorous practical threat analysis methodology. As we will show in this short article, the key vulnerabilities of mobile devices are similar to traditional IT security vulnerabilities even if the threat surface is dramatically different.

However, a software security assessment of a life science software application deployed on a mobile device needs to look beyond the malware and spyware and data breach attacks on the device. Mobile Android tablets or iPads running electronic medical records applications are usually deployed in uncontrolled, complex and highly vulnerable environments such as enterprise IT networks in hospitals.  The software security issues are much more severe than those of a single tablet:   a combination of network vulnerabilities, application software vulnerabilities, malicious attackers superimposed on  the large, complex threat surface of an enterprise IT network.

The mobile medical device is now an attack vector into the hospital network, a far more valuable asset than the mobile device itself.

It seems that there are 5 key areas of vulnerability for  mobile devices, but not surprising, they all coincide with the classic IT network vulnerabilities:

Protocol coverage is lacking: Mobile  devices often rely on built-in  firewalls or enterprise network isolation. The protection that firewalls provide is only as good as the policy they are configured to implement and there are a whole slew of issues related to remote security policy management of untethered devices. I expect that analysis of network exploits on mobile devices with internal firewalls, will match analysis of real-world configuration data from corporate firewalls  that shows  rule sets that frequently violate well-established security guidelines (for example zone-spanning objects and lack of stealth rules). In addition, a stateful inspection firewall on a mobile device doesn’t perform deep content inspection on complete sessions and is therefore blind  to data theft attacks – for example piggy-back attacks  on text messaging in order to steal sensitive data.

Proxy-based access to control a device is convenient but may enable attackers to compromise a device and steal data – proxies end-point devices to obtain direct access to the Internet – research with clients show us that as much as 20 percent of all endpoints already bypass content filtering proxies on the enterprise IT network.

Visibility of network transactions is usually missing making incident response very difficult: Firewall and proxy logs are generally never analyzed, and often lag hours behind an event. An IPS often relies on anomaly detection. Anomaly detection relies on network flow data, which is often reported at intervals of 15 to 45 minutes. With that kind of lag, an entire network can be brought down. Because anomaly detection is looking for an anomalous event rather than an attack, it is frequently plagued by time-consuming false positives. A proxy on the other hand relies on URL filtering and simple keyword matching that analyzes the HTTP header and URL string. By looking at content and ignoring the network; a proxy can suffer from high rates of false negatives, missing attacks.

Multiple security and application layers increases cost of implementation and maintenance. Installation of multiple, disparate, proxy-based security products complicate network and end-point maintenance. Proxies require changes to the network infrastructure and in large networks may be impossible to install.  Updating mobile device application software to latest patch levels can be challenging to enforce and control and may result in injecting new software vulnerabilities into the device as there is probably not central IT administrator in charge of updating the mobile electronic medical records application running on 300 Android tablets in the hospital.

Redundant, multiple network security elements increase risk in the overall solution: This is additional risk that manifests itself as a result of the interaction between  mobile devices accessing cloud services via  a complex system of cache servers, SSL accelerators, Load balancers, Reverse proxy servers, transparent proxies, IDS/IPS and Web Application Firewalls. Consider that endpoints can bypass SSL proxies by specifying a gateway IP address and transparent proxies on a Windows network are no assurance for unauthenticated user agents bypassing the entire proxy infrastructure. HTTP-Aware firewalls such as Web application firewalls can be completely or partially bypassed in some cases. Transparent proxies can be compromised by techniques of HTTP response splitting since they rely on fine-grained mechanisms of matching strings in HTTP headers.  This is why Mozilla is delaying their implementation of Web sockets which may not matter if you’re running Chrome OS.

It’s a new dawn but with old rules.

Tell your friends and colleagues about us. Thanks!
Share this

Android 2.2 supports mobile cloud security

Courtesy of Cloud Computing Topics – Olafur Ingthorsson

Android 2.2 is now fulfilling the minimum enterprise security requirements, i.e. device locking and remote wiping – amidst a long list of other enterprise cloud computing must-haves.

It seems that with the latest Android release, v. 2.2, Google is stepping into the enterprise mobile cloud computing realm with its mobile platform. Android 2.2 is supposed to support many of the required security policies enforced in enterprises, especially concerning enterprise email. These include automatic handset lock due to inactivity and administrator remote wiping in the case of lost or stolen handset. More information is given on Google’s Enterprise blogmobile cloud security

Another very interesting feature is the latest support for Android, and many other major platforms,  through Google Apps, enabling users to administer security features on their handsets from a browser and by installing the Google Apps Device Policy, that will soon be available from the Android Market. Google is clearly taking a big step in providing a multi-platform support for its Google App suite on mobile phones for enterprises. This service is free of charge for customers that have the Google App Premier Edition subscription ($50 pr. user/year). The Google Apps Device Policy can be used to synchronize data (email, contacts, calendar, and Picasa photos) between the supported device and a Google Apps domain.

Furthermore, with Andriod 2.2. handsets;

Google Apps Premier and Education Edition administrators can manage their users’ Android devices with a set of mobile device management policies designed to let users access their data while keeping organizational information secure. These policies include the ability remotely wipe data from lost or stolen devices, require a device password, set password complexity, and more.

With this development, Google is strengthening its position in enterprise class mobile cloud computing. Previously, Android users could of course access their Gmail and Google Apps remotely on their handsets, but enterprises generally haven’t been willing to accept the platforms due to its lack of control and security mechanisms. Now, Android 2.2 is fulfilling the minimum security demands required by enterprises, i.e. device locking and remote wiping. Then there are additional features, similar to what the MS Exchange Server Active Sync can enforce, like:

  • Require a device password on each phone
  • Set minimum lengths for more secure passwords
  • Require passwords to include letters and numbers

These policies can be enforced on devices that have installed the Google Apps Device Policy application. So far, enterprise mobile cloud computing has been somewhat exclusive to Blackberry and platforms that support MS Exchange Active Sync policies, like Nokia E-series. However, it now seems that Google is entering this domain as well with its latest Android version and the Google Apps Device Policy application. It certainly will be exciting to continue to follow this progress and monitor Google’s success in the mobile cloud computing domain.

Tell your friends and colleagues about us. Thanks!
Share this