Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
The Mobile Fail Parade
In This Issue:
- It's mobile security's turn to #FAIL
- Those Wipro blues, again
- A silver lining in the dark cloud of IoT security
- Big brother’s STILL watching you
It's Mobile Security's Turn To #FAIL
This week, it's mobile security's time to grab the spotlight of fail.
Security flaw lets attackers recover private keys from Qualcomm chips is this week's headline grabber. "At the time, secure authentication provider Duo Security said that Qualcomm chipsets were being used on around 60% of all Android enterprise devices, a percentage that has since increased, as Qualcomm chips have become even more popular."
MY TAKE: Most companies blissfully ignorant of rising attacks on most-used endpoint: mobile devices is also worth a look, and this article also contains a link to this week's podcast.
The hits just keep coming on mobile security this week, with Malicious lifestyle apps found on Google Play, 30 million installs recorded, Hotspot finder app blabs 2 million Wi-Fi network passwords, and Runaway Saudi sisters call for 'inhuman' woman-monitoring app to be pulled all good examples of how the little glass slabs in our pockets that contain all of humanity's knowledge aren't always out friends.
This week's mobile fail parade should serve as a good reminder that Mobile Device Management (MDM) software is not only important, but needs to be regularly reviewed. Even if your organization has an MDM solution, it’s worth periodically reviewing that the solution in question is meeting not only business needs, but is actually coping with emerging threats. The days where we could handwave away malware and security problems as something that only affected Windows are well and truly behind us.
Those Wipro Blues, Again
Last week we used Wipro as an example of what not to do when handling the aftermath of a breach. They've continued to provide us with free education this week: Wipro Intruders Targeted Other Major IT Firms and Indian outsourcing giant Wipro confirms flushing phishers from systems form the week's reading.
In this week's What Not To Do - Part II, we are taught that organizations should try to avoid inadequately briefing the person who has to do the calls with shareholders and journalists. Also, they should probably be told not to "bend" the truth in said calls. This could poison the relationship with partners.
The real problem here is short-term thinking by marketing, PR and communications teams during the scramble to release a statement. The other major firms who were targeted provided statements to the press that were more thought out than Wipro's. Providing the information that people will want to know usually works better than flustered obfuscation.
Maybe Wipro's not the only one who's got some 'splaining to do in this situation. From the article above: "What’s remarkable is how many antivirus companies still aren’t flagging as malicious many of the Internet addresses and domains listed in the IoCs, as evidenced by a search at virustotal.com."
Dealing with a breach doesn't end when you stop the spread and clean up infected machines. Your incident response plan should involve educating those in your organization who have to speak about the incident, as well as sending relevant information to your anti-malware provider, and/or to more vendor-neutral projects such as VirusTotal. We all have a part to play in making the Internet a safer place.
A Silver Lining in the Dark Cloud of IoT Security
This week in IoT schadenfreude we have… something positive about IoT?!? The future of cybersecurity: Your body as a hacker-proof network is the first thing involving IoT that we've read in some time which doesn't cause sadness.
The proposed solution would pretty much be limited to medical and fitness IoT, but we're disproportionately excited about finding any news at all about IoT Security being even fractionally less frightful. Now if someone would only secure the other billion or so IoT devices out there.
Traditional information security products aren't proving good enough to solve the IoT security problem. If your organization is already deep into IoT, or is seriously considering diving in, it’s worth engaging in some orthogonal thinking about how to secure these devices. Convenience and automation are the key, especially as the number of IoT devices starts to scale.
Big Brother’s STILL Watching You
When compiling this week's research, our initial feeling was that this particular collection of links and analysis would not be something that would make it into The Countermeasure. As a general rule, we try to write for an audience with a modest understanding of infosec and IT history, and under those rules, this needs an article rather than a blurb.
Upon review, however, it was decided that the Zeitgeist this week not only needed to be added, but that anyone who actually reads The Countermeasure is probably on team "I have been warning you about this for years." The creeping abuse of surveillance has tripped our pattern detectors harder than usual, and it's all the more depressing because we’ve collectively been warned about this since at least the late 18th century.
The facepalming starts with Baffling tale of Apple shops' 'non-facial' 'facial recognition', a stolen ID, and a $1bn lawsuit after a wrongful arrest. Keep in mind that machine learning is trendy, but it's also not mature yet. If your business uses facial recognition in video surveillance, get a human to double-check the results before you unleash the SWAT team.
If you need additional persuasion, read this: Facial recognition fail allows politician’s kids to access his laptop. And this: Academics hide humans from surveillance cameras with 2D prints. For how not to interact with the public on the subject of facial recognition: NYPD forgets to redact facial recognition docs, asks for them back and Facial recognition creeps up on a JetBlue passenger and she hates it offer some important lessons.
Normally, that many links would be enough of a pattern to trigger inclusion in a week's Countermeasure, but oh, there are so many more. Facebook asked to clamp down on cops creating fake accounts, Will the US Adopt a National Privacy Law?, and Facebook: Not saying we've done anything wrong but... we're just putting $3bn profit aside for an FTC privacy fine are all part of the increasing focus on Facebook's ever-increasing creepiness.
Why Facebook hired a Patriot Act author and privacy activist and Facebook: we logged 100x more Instagram plaintext passwords than we thought are worth perusing as well, as is Mark Zuckerberg, Elizabeth Warren, and the Case for Regulating Big Tech, even though it's from a bit earlier.
Remember that surveillance is about more than simply spying on your personal habits so that the cops always have an excuse to jail you if you mouth off. Surveillance is also used for industrial espionage, and to find easy targets for cybercrime. As you and your employees are tracked on your daily meanderings, your patterns are logged. Go to the same place for coffee every day? That becomes a target location to sneak a USB key into your bag, or get 30 seconds along with your phone. Teach this to your staff. Teach them (and yourself) to vary your patterns. Learn to avoid surveillance, especially when carrying sensitive information. Remember: someone is always watching.
Quote of the Week:
The god of the gaps argument has always been flawed, but the rephrasing of it in this context works. The existence of ignorance isn't proof of god, superhackers, or any other grand design. It is simply that the more you know, the more you realize just exactly how much you don't know.
As the area of our knowledge grows, so too does the perimeter of our ignorance. – Neil DeGrasse Tyson.
Podcast of the Week:
Since it’s mobile's week to fail, this podcast is worth a listen. The link to the podcast is at the top of the page.
MY TAKE: Most companies blissfully ignorant of rising attacks on most-used endpoint: mobile devices
Video of the Week:
We would like to go a week without talking about Facebook. We really would. But this TED talk is probably going to make waves.
Facebook's role in Brexit – and the Threat to Democracy
- Man fried over 50 college computers with weaponized USB stick - Not all attacks are about stealing data.
- Phone fingerprint scanner fooled by chewing gum packet - Stop us if you've heard this before, but Biometrics ≠ passwords
- Not one of the 12 steps: Rehab patients' details exposed in publicly visible database
- Security researcher creates new backdoor inspired by leaked NSA malware
- Who Gets Targeted Most in Cyberattack Campaigns
- Cybersecurity: UK could build an automatic national defence system, says GCHQ chief