Does your smartphone app discover all your accounts?
There’s a chill in the air, and it’s not just the normal fall morning breeze. In the era of NSA Prism/Xkeyscore/whatnext surveillance, and considerable cybercrime enterprises, smartphone app developers seem to be taking advantage of a very lax culture of ‘accept all’ security features.
I recently developed an online Security+ course for a local university. As an assignment for the course I asked students to search for and install a few versions of the simplest of smartphone apps, the flashlight app that will turn on the camera LED for convenience lighting. Such a limited application has no need for the extent of permissions that they receive, yet thousands of users blithely ‘Accept’ them.
This year, one of my friends basically told me ‘yer playin’ and signed me up for his football fantasy league. As a newbie to fantasy sports, I am enthralled by the business of it, and the IT that supports it. So I drafted my team, downloaded the smartphone app, and anxiously awaited opening night. As the pregame entertainment built for the nations most popular sport, I fired up my app, and was prompted for the mandatory update. Now granted most of the 85,000 users who ranked this app 4.4/5 stars never bother to read the App Permissions listed prior to pressing ‘Accept’, but I am not your average user.
Of the ‘permissions’ listed the first one that jumps out at me is ‘Your Accounts; Act as an account authenticator, manage the accounts list, use the authentication credentials of an account’. While that seems innocuous enough, I would certainly word it more specifically to my account and this app, and the fact that it is not does leave me with some reservations. Because the extent of permissions requested for the app is so long, you must use the ‘Display All’ button to see what doesn’t fit on the screen, and access the ‘second tier’ to find the real devil in the details. First item on the extended list, is our old friend ‘Your Accounts’. Only this time, it is described with ‘Discover known accounts’. Now my reservations are truly turning to red flags, as I press this item to open the third level of the menu which describes this permission as ‘Allows an application to get the list of accounts known by the phone’. Obviously the developers of this app are not applying the philosophy of least privilege. Certainly the need to monetize a service justifies the use of aggregated and non PII user information for the purpose of targeted advertising, but I see no such need for this level of app permission.
As much as I wanted to follow my team matchup throughout the game, and know how many points my Ravens defense and Denver kicker would earn, I just couldn’t accept that level of voluntary intrusion to my privacy. But what bothers me more is my feelings of estrangement, exclusion, of social stigma, for not being one of the 85,000 users so willing to blissfully play on without regard to the consequences. This cultural acceptance of the ubiquity of smartphones, and the app ecosystem it supports, seems to be ripe for exploitation. Whether by intent or by accident, my experience with both Android and iOS apps is that they seem to have no regard for secure software development. It reminds me of the ‘shrink wrap EULA’ from what seems like so long ago.
What do you think? Are you one of the 85,000 who blissfully play on, or are you out here in the cold with me?
Ethical implications of whistle blowing
(ISC)2 code of ethics;
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
One thing will jump out at you right away - the first priority of a CISSP is to protect society.
Each of us are called upon to make small ethical choices every day. Unfortunately far too many
of us will face a major ethical decision at some point during our professional life as an
Information Security professional. Stumbling upon a 0 day vulnerability, leading an Incident
Response, or deciding if we should go public with what we perceive of as an abuse of the
systems in place to manage access to potentially sensitive PII. As an example of how to ethically
deal with a breach notification, I would encourage you to read up on the Heartland Payment
Systems breach. I wrote an article for the ISSA Journal in January of 2010, Information Security
Breach Disclosure: When, How Much, and to Whom
In my opinion, the management team at Heartland not only did the right thing by adopting a
strategy of transparency, but the reaction of the markets supported my conclusion - the share
prices rebounded quickly and the company was actually valued slightly higher within a year of
Why do I bring this up now? Recent news stories about the leaks related to NSA activities have
me asking myself, is Snowden a heroic whistle blower as he claims or a traitor as the NSA and
federal prosecutors assert? Without access to more information we the public won’t be able to
make the same kind of assessment as the markets were able to make after the Heartland Payment
Hopefully none of us will be placed in a situation where we will have to decide between doing
the right thing, or protecting our professional standing but if we are - I would hope that we
would each think back to the code of ethics we agreed to adhere to when we became a CISSP.
M. Scott Koger, CISSP CRISC
NOAA National Climatic Data Center (NCDC)
The Great ATM Heist - is it really newsworthy?
On Friday, May 10, we saw many headlines about the latest great ATM bank robbery. Apparently these types of attacks are being regarded as something new and noteworthy. Interesting indeed when you consider what should be NEWS is the very fact that this attack simply repeats what we saw last December. It’s very similar to attacks that have been evolving for years.
The elements of the attack are not new. An almost identical attack was done way back in 2008 and was attributed to Russian and Estonian hackers. We dissected the attack in our Strategy to Reality workshop so clients could understand the attack vector and consider means of stronger, integrated defences. We showed how the attackers have used extremely well coordinated and synchronized campaigns. In recent attacks they even went to the trouble of raising the account withdrawal limits.
Yesterday’s attack was again elegant, distributed and was more in line with last Decembers attacks that hit a few middle-eastern banks. Seems we’re not paying enough attention to this growing problem. The big question is WHY NOT?
So, what’s another $45m from a well developed ATM heist? Well, the most common reason for ignoring crime is the misbegotten belief that it doesn’t directly impact you. This is dead wrong. We’re feeding a beast that will get more and more destructive if we don’t address it.
Is Ticketmaster’s paperless ticket PCI compliant?
I recently purchased tickets to a concert event with Ticketmaster’s paperless ticket process. It was not my preferred method, but tickets were hard to get and for this event it was the only option. The purchase application instructed me to ‘go to the gate and present picture ID and credit card’ for admission. Nonetheless, I still felt compelled to go to the will call window and collect my tickets. To my surprise, I was instructed to go to the security entrance, the gate, and all would be well. When I approached the gate, I asked ‘how does this work with a paperless ticket?’ and the gate attendant asked for my credit card. I handed him my credit card, and expected to have to show picture id. The attendant swiped my credit card through a roughly 6′ x 8′ device he was wearing over his shoulder, and printed two tickets. He asked if everyone in my party was present, which we were, and he handed me our tickets that he had just printed.
Aside from my apprehension of approaching a concert venue without a ticket, or even a receipt of purchase for a ticket, or an eticket on my cellphone, the experience was quick and easy. Ticketmaster has taken criticism of this process for the lack of a ticket holders ability to transfer their tickets, essentially creating a ticket license that excludes StubHub and others from participating. But I couldn’t help but ask ‘How is this PCI compliant?’
Obviously my credit card Primary Account Number (PAN) was used to identify my ticket transaction and complete the purchase. The PCI DSS is required whenever the PAN is stored, processed or transmitted. Of course Ticketmaster crossed that rubicon long before, with the initial purchase and online account creation. I am confident that Ticketmaster has policies and procedures in place to meet the PCI DSS standard. But as we know, neither this nor certification ensures compliance in all instances.
My concern is that extending the use of the PAN for purposes of authentication at venues is a huge increase in risk exposure, as well as the scope of assessment. Granted, Ticketmaster has offices at the venues where paperless tickets are used and is likely in control of the hardware assets being used. But these are usually contractual arrangements with the venue. Further, venue managers often contract with other entities for security and other staffing needs during special events. Ensuring compliance through these contract relationships is much more difficult.
Certainly this process can be PCI DSS compliant with the proper application of encryption and policy enforcement. But as a IT Security professional, I would prefer to minimize risk and avoid the use of the PAN where possible.
As a concert attendee, I would much prefer a ticket in hand. Perhaps I am waxing nostalgic as I recall the concert tickets of old that featured album art, artist photographs, reflective ink, and theater specific attributes that made them appeal to me enough to consider them collectors items.
What do you think? Is the convenience of a paperless ticket worth it?
How secure are the IT components that go into our devices?
One of the most interesting and challenging security issues that can only be addressed by governments and large organization’s is the actual integrity of the computer products being purchased. While most of the world has worried about what American spy agencies might have embedded in systems over the years, the tables were turned several years ago when IBM sold it’s portable computer business to the Chinese. Since then, this issue has been festering with far greater stakes than ever before.
The House Permanent Select Committee on Intelligence last month, issued a report indicating that computer components and communications manufactured by two Chinese companies might have been altered to allow the Chinese government to spy on US enterprises. The report recommended that US government systems not use any component manufactured by Huawei and ZTE, both in the top 5 of the world’s largest telecom equipment makers. See Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies, Huawei and ZTE There’s an old security axiom that says “vulnerabilities are like cockroaches, for every one you see there are probably 99 more”. That’s certainly the feeling left from these studies.
According to Gartner Fellow Neil MacDonald, not using any Chinese manufactured components would not be an easy undertaking as many of the components inside US company products are from China. The issue is not about controlling or not using anything developed offshore, it is an issue of supply-chain integrity which McDonald believes is a concern for any technology company worldwide. What is needed is transparency from suppliers along the supply chain that reveals pertinent information about components and equipment used by businesses and government, such as: how it was created, where it originated and was sourced, etc. See article How Secure are the IT Wares You Buy
This is not an easy undertaking however, and requires diligence at all levels along the supply chain to ensure the overall integrity of the final delivered product. These issues offer an interesting parallel to the Cloud, in that we rely more and more on technologies we no longer understand. However, one has to wonder just how different is this than the days of the first radio or television. Technology has always had a degree of opaqueness.
Navigating into the IT Health Care field
There has been a lot of attention and push toward integrating technology into healthcare and the requirement for staffing positions that can’t be filled from those already working in the field. If you are looking to make a move from another sector, this could be the perfect opportunity.
The biggest challenge is breaking into the industry – getting your foot in the door, without any medical job experience or advanced education in a medical related area. Many companies often want to recruit people who already have healthcare experience, especially for more senior roles. There has also not been a lot out there on skills requirements and a path to acquiring the skills needed. However, in doing research on this we did come across a report by the University of California San Diego Extension. The report “2011 Hot Careers for College Graduates” aimed to reveal the top jobs for both recent grads and those in mid-career.
Researchers compiled the data based on college enrollment figures, national employment statistics, and interviews with executives in San Diego. The federal mandate to implement EHRs (electronic health records) creates a need for health care integration engineers, health care systems analysts, clinical IT consultants and technology support specialists, the report states.
“Jobs and needs in the health care information technology field are a critical component of plans for positive change in the health care industry,” wrote Mary Walshok, associate vice chancellor of public programs and dean of UC SD Extension, in the report.
“Although much of the anticipated reform for the U.S. health care system revolves around financial incentives and risk, achieving the cost efficiencies necessary to support that reform depends on more aggressive application of information technology to daily health care operations,” she added.
In 2008, EHR and health information technicians held 172,500 jobs, according to the report. In the following decade (2008-2018), jobs in this area will grow by 20 percent.
How to navigate into this field from another is the challenge that we are seeing now. Our next blog will focus on just that.
What is the most relevant Health IT Certification?
The HITECH Act and the Affordable Care Act have certainly changed the landscape for the healthcare industry. The financial incentives to share health care information among providers as well as patients opens up a veritable pandora’s box of information security issues for clinical employees. These employees have been inundated with the privacy requirements of HIPAA, and now are tasked with maintaining privacy within an open electronic records environment.
Medical providers are desperate to maintain reimbursement levels, and the meaningful use requirements are hardly optional. Achieving these objectives is a monumental task. To help providers meet these requirements the US Department of Health and Human Services created the HITPro series of 6 exams to enhance and verify the skills of IT professionals working in healthcare.
Considering I hold CompTIA and Microsoft certifications, and exam vouchers were available for free, my curiosity compelled me to take the HITPro Implementation Support Specialist exam. Without any advance preparation of any kind I was able to pass the exam on the first try. Now granted I have a solid understanding of IT security, but I have only a laymen’s understanding of the healthcare industry. This causes me to wonder if this exam truly verifies the skills necessary for an IT Healthcare professional. Giving the program it’s due, this is only one out of the series of 6 exams.
CompTIA has a Healthcare IT Technician certification that purports to cover the knowledge and skills required to implement, deploy, and support healthcare IT systems in various clinical settings. They suggest the candidate have only 500 hours of hands on IT experience. The American Health Information Management Association (AHIMA) has a series of credentials that are primarily for administrative personnel involved in medical billing and transcription. The Healthcare Information Management Systems (HIMSS) has defined a Healthcare Body of Knowledge as well as a Certified Professional in Healthcare Information and Management Systems (CPHIMS) credential that seems to be at a much higher level. We at IP3 have taught the CISSP program to more than a few healthcare staffs, and feel that there is need for a more tiered, role based skills assessment, and a broad acceptance of the validation of the candidates.
What are your thoughts? Do you hold a Healthcare IT certification? Is there a cert you feel hits the mark? Do you see a skills gap in the healthcare industry?
Eliminate the boring in your IT Security training program
When you get it wrong, the signs are painfully clear, but the reasons may not always be obvious. Making that all-important connection with your learners does not happen by accident. When you are putting together any security training program – from general awareness training to specific certification training solutions, you need to make it not only interesting but also RELEVANT.
If the learner already has knowledge on security topics/issues, why do they then need additional training on the areas they already understand? The mistake often made is that content is developed from the assumption that the learner knows very little and therefore needs to drink from the proverbial “fire hose”. This does not have to be the case. Constructing a well thought out quiz delivered prior to content or training to be developed or delivered can eliminate repetitive, boring content that has already been adopted by the learner. A quiz can act as a baseline, identifying gaps in the overall knowledge of the learners. Focus can then be spent on either developing content in the areas of weakness or looking for supplemental online content or reinforcement tools to address the gap. The quiz can then be run again after the training to determine whether or not the learning content was absorbed. If we can address the knowledge gaps effectively, we can begin to deal with the critical cybersecurity skills gap we are now being confronted with in North America.
Why we fail at leveraging technology in education
There are three reasons why we fail at leveraging technology in education. First, we are undoubtedly missing the root cause of the systemic failure. It’s not content, it’s context. The content must be made meaningful to the learner. Second, we’ve failed to apply the fat tail principles of mass customization. Anchoring a concept for a learner is unique to each student. While Kahn Academy and the edX initiatives show how expansive the net is for provisioning content, we’re still missing the point that technology must address.
Finally, learning occurs at specific moments in specific context – and this includes space/time issues. Simply put, if my screen and keyboard are the source of massively complex communications systems including email, Facebook, alarms, alerts, notifications, etc. it is by definition, the worst possible tool for isolated and focused attention to a complex subject. If you want to study, you need an isolation mode for your computer. If you really ask most of our students why they end up in a live week-long course, it’s for isolation from daily interruptions.
For technology to make significant changes in our education we need to move the focus from content to context. It’s great to enroll 155,000 students but success is measured in the output of a system, not the inputs. A 4.6% success rate is a starting point but it’s also an indicator of the real challenges that lie ahead.
If modern computer security issues require new competencies in the labor force, our works cut out for us for years to come.
Learning Through Context
What do we mean by context exactly and why do we believe teaching contextual based is better than content?
By context, I mean three things. First, we need to understand the where/when for studying. We should all know and understand that the “interrupt machines” that drive our always-on communications (PCs, smart phones, tablets) are the very worst possible devices for a learning context until we redesign the flow to function in this context.
Second, context is the reference point, and anchoring that provides relativity and explains new ideas in relationship to things the learner already knows. Third, context is the application of ideas, terms or concepts to situations the learner understands.
When EdX can provide learner context, the claim of “revolutionary” will once again belong to Boston. I’m not trying to argue that we do a better job than MIT in our boot camps, but we’re not going to make a mark on the educational demands in the security industry until we to begin taking the content in the world, often from our most renowned and respected sources, and creating context.
This context and training is fundamental to technology deployment and adaption. Failure to develop appropriate human capital is also one of the greatest (though frequently ignored) risk factors for most systems. For over three decades, I’ve been involved with early stage and start-up tech companies. To bring a new technology to market we had to teach new concepts and practices – often to a quite hostile audience. Running worldwide sales at Novell required a global education campaign on what a LAN was, how it might be deployed and it’s economic benefits. We quickly learned that the shortest path to a sale was to educate our customers and to do this we had to translate our features and benefits into direct comparisons with mini-computers. We had to anchor these new ideas in a context the customer understood. We had to make the message relevant to the customer. We had to motivate the learner (customer).
- Why were we messing around with PCs and LANs when a mini-computer provides centralized management?
- Why do we ever have to adapt to what’s “new” and make changes?
Without knowing why something is important, without knowing how a concept or idea relates to what you already know, without motivation, it’s hard to make successful changes. It’s hard to learn something new out of context.