Archive
Keynote sessions from Infosecurity Europe 2012 – and a few other stories
Infosecurity Europe is over for another year. If you weren’t there, well I just suggest you make sure you get there next year. Meantime, here’s my take on a couple of the announcements and almost all of the keynote sessions:
Infosecurity Europe 2012: Minister of State for Universities and Science introduces the 2012 security breaches survey
The challenge, says the Rt Hon David Willetts, is that in order to get the economic and social benefits that the internet offers, we need to first tackle cyber security.
24 April 2012
PwC and Infosecurity Europe release the latest Information Security Breaches Survey
Significant attacks more than double, but one-in five companies still spend less than one percent of their IT budget on security, and more than half of small organizations do no security training at all.
24 April 2012
Russian cybercrime: what Russia is doing, and what it should be doing
Russian security company Group-IB says Russian cybercriminals made £2.3b in 2011; Russian-speaking cybercriminals made more than $4b; and worldwide, cybercriminals made more than $12.5b.
24 April 2012
Trustworthy Internet Movement Launches Pulse Tracker
The problem, says Pulse, is that we are telling users that this site has SSL, so it’s secure. That’s not necessarily true. We are promulgating a false sense of security, and we need to fix that.
25 April 2012
Infosecurity Europe 2012: defining risk management in the context of information security
The three companies represented on the keynote panel (G4S Secure Solutions, Steria UK, and Skipton Building Society) are very different; and their CISOs have very different views on the functioning of risk management within infosec.
25 April 2012
Infosecurity Europe 2012: the rising role of the CISO
Chaired by Quocirca’s Bob Tarzey, Network Rail’s CISO Peter Gibbons and Yell’s CISO Phil Cracknell led a lively discussion on the current and future role of the CISO.
25 April 2012
Ipswitch survey reveals the extent to which IT is losing control over data
IT needs governance; but users are choosing simplicity. In choosing and using their own non-sanctioned methods for data transfer, users are causing IT to lose control over its own data.
25 April 2012
Infosecurity Europe 2012: AET & APT – Is this the next-generation attack?
Advanced persistent threats (APT) and advanced evasive techniques (AET): what are they, who’s doing them, and what can we do about them?
26 April 2012
Has the time come to dump anti-virus?
Bit-9 asks the question that dare not be spoken: is anti-virus beyond its sell-by date? And is BYOD the final straw?
26 April 2012
Infosecurity Europe 2012: The ICO on better regulation and better infosec
Christopher Graham, the UK Information Commissioner, talks about his role as an information regulator and facilitator at Infosecurity Europe in London
26 April 2012
Infosecurity Europe 2012: Are we smart enough to secure smartphones?
Three heads of security from three very different organizations came together to discuss their practical and very different experiences in introducing a company BYOD strategy.
26 April 2012
Infosecurity Europe 2012: The insider threat – is it real?
While the primary security stance faces outwards and is designed to keep hackers and malware outside of the system, organizations are increasingly aware that their own staff are also a potential – and in some cases an active – threat.
27 April 2012
Infosecurity Europe 2012: The cloud – do you really know what you’re getting in to?
The cloud is new; but it’s been around for years. It’s insecure; but more secure than we fear. Two practitioners discussed the cloud of FUD.
27 April 2012
It’s the lack of understanding of virtualization that makes security an issue
A new study from Kaspersky Lab confirms an earlier one from Crossbeam Systems: it’s a lack of knowledge about virtualization that leads to fear for its security.
26 April 2012
Appstore security: a new report from ENISA
ENISA, the European Network and Information Security Agency, has produced a new report: Appstore security – 5 lines of defence against malware. Its purpose is to help the burgeoning app store market protect against infiltration from malapps (not a widely used word yet, but watch it grow); smartphone apps pretending to be apps but really just plain malware.
Appstore security: a report from ENISA
The five lines of defence range from the bleeding-obvious through good-idea-but-don’t-hold-your-breath to illustrations of the-conflict-between-security-and-liberty. They are
- App review – bleeding obvious but not foolproof
- Reputation – not foolproof
- Kill switch – hang on a bit
- Sandboxed apps – bleeding obvious
- jailing – hang on a bit more
App reviews should obviously be done. But they’re not foolproof and are time-consuming and costly. New app stores will minimise them in order to reduce their own costs and speed the population of the store. Even where they are performed, with or without the help of automated testing, there is no guarantee against false negatives.
Reputations can be manipulated. Cyber criminals have shown that they are willing to play the long game. With enough time and resources it would be easy enough to release a few genuine and good apps before slipping in, backed by a good reputation, the bad one.
Kill switch. I don’t want one. And they don’t necessarily work. If I buy something, it is mine (I’m sick of the industry selling me something and then revealing later or in the small print that I only rented it). If I buy it, it’s mine. Therefore only I should be able to remove it. Not the software developer, not the app store, not the device manufacturer, not law enforcement and not the government. And anyway, they don’t work. DroidDream foiled the Android kill switch by simply operating outside of the sandbox. Here’s a good security principle: if something can be set up by software, it can be taken down by software. And another thing:
in a military setting, apps may be mission-critical and the app revocation mechanism may need to be turned off.
I’m not sure that I like being told that only the military has mission critical apps. My apps are critical to me.
Sandboxing. Now that is a good idea. It probably has more to do with the OS developer than the app store provider, but it’s still a good idea. It may not work nor be possible in all cases; but it’s still a good idea.
Jailing. Again, this has more to do with the OS developer and the hardware manufacturer than the app store itself. And again, if something is mine, I don’t want a third party telling me what I can do with it. It may be good security but it infringes my rights as a human being.
You may think I’m being overly critical and a bit frivolous, but I’m not. This report will make not one iota of difference to the app market. I wish ENISA and all the myriad other European agencies would spend the time and money we spend on them on something more worthwhile. Especially when the solution to malapps is easy: make the app stores liable. Make them liable for any losses incurred through malapps bought or downloaded from them. And where there is no measurable loss, simply fine the pants off them. That will stop malapps from app stores in their tracks.
Is Google’s m-wallet a disaster waiting to happen or a bulldozer that cannot be stopped?
Commenting on an article in Computerworld, Phil Lieberman, President and CEO of Lieberman Software, agrees that Android’s upcoming m-wallet (mobile phone wallet) is ‘a disaster waiting to happen’. The original article by Ira Winkler comments:
A smartphone’s operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment.
Mobile payment systems: A disaster waiting to happen
President and CEO of Lieberman Software
Phil adds to this
Ira’s comments are bang on the money. Whilst it’s great to hear that m-wallet solutions will be Visa PayWave or MasterCard PayPass-compatible – meaning that the wireless data transmissions are encrypted – the problem comes if the smartphone itself in less than secure.
But are the doom-mongers correct? Well, yes they are – but any use of any computer for any purpose is a disaster waiting to happen. Since m-wallets will happen (they’re cool and useful, the two primary drivers for any commodity), the real question is whether the m-wallet is significantly less secure than any other method of payment. And I’m not at all sure this is true. Like everything else in security, it is user-behaviour that makes something more or less secure.
Phil comments that
…with large numbers of Apple iPhone users jailbreaking their handsets to escape network locks, it looks like that most flavours of smartphones will be susceptible to security faux pas for some time to come.
That’s what I mean about user behaviour. Using a jailbroken iPhone as an m-wallet is like walking through a crowded mall with an open bag and a visible purse/wallet: it is the user rather than the wallet that is at fault. So what are the alternatives to the m-wallet, especially since cheques are being phased out by the banks (and we can expect them to do the same with cash over the next couple of decades)?
For now we have cash in a purse. Well, that’s less secure than a smartphone. Most people realise that they have lost their phone within minutes, and can switch it off remotely in an instant. The cash in the m-wallet cannot be used.
Bank cards? Well, they’re hardly secure are they? They can be stolen/lost and cloned. Cambridge university has demonstrated a device able to trick the system into accepting any PIN number on any valid card. And contactless cards really are a disaster waiting to happen.
Mobile banking on a laptop? Just as easily lost or stolen; and just as easily hacked. Zeus/SpyEye anyone?
Personally I can see our entire lives migrating to smartphones. Our front door key, car key, kicking the house into action before we get home, e-government and proof of identity. Trying to stop this happening will be like standing in front of a bulldozer. The requirement is not to prevent it, but for the security industry to improve security, and for users to improve behaviour.
Which will leave me with a problem: I don’t have a smartphone; and won’t have one until they invent one that won’t fry my brains – or worse if it’s in my pocket.
