enterprise security

Transcription

enterprise security

2. Security Strategies Alert
Is your company ready for legal holds and
compliance with mobility and the cloud?
An interactive eGuide
ENTERPRISE
SECURITY
4. Who are all these hacker groups?
They go by names like Anonymous, Lulz Security,
Zeus, Night Dragon, Green Army Corp, Inj3ct0r Team;
their goals, methods, effectiveness vary
7. The Deep End
It’s time to make poor coding a felony
Keeping corporate information assets safe takes a combination of smart strategy and intelligent
technology choices. IT managers must stay on top of the latest security threats, understand the
latest prevention mechanisms, implement risk management and, perhaps toughest of all, keep
users complying with corporate safeguards. And with trends such as mobility and cloud computing
impacting corporate IT security, technology professionals need to ensure their infrastructures are
protected on all fronts. In these articles, Computerworld and its sister publications CIO, CSO,
InfoWorld and Network World explore best enterprise security practices and expert advice for
securing modern enterprise IT environments.
9. Reduce, reuse, recycle –
just not your password
In the wake of a breach, researchers typically
focus on the poor password choice of users, but
reuse is a much greater threat
11. Smartphone apps: Is your
privacy protected?
Are your apps putting your privacy at risk?
Custom publishing from
COMPUTERWORLD
14. David Litchfield on securing
the data castle
It’s not sophisticated attacks, complex
vulnerabilities or user errors that are the greatest
threats to database security, says this expert.
16. Security Resources
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Reduce, reuse, recycle –
Smartphone apps: Is
your privacy protected?
David Litchfield on
securing the data castle
Security
Resources
Advice
Security Strategies Alert
Is your company ready for legal holds and compliance with mobility
and the cloud? By M. E. Kabay and Gordon Merrill, Network World
IT HAS NOT BEEN TOO LONG
since Google lost millions of emails and struggled to get most
(!) of them back for customers.
Amazon recently had cloud issues
where they were not able to restore
all the data their cloud customers
had placed on their servers.
I recently sat in on a presentation hosted by the Chattanooga
Technology Council called “Cloud
Computing: Separating Fact from
Fiction.” The Google and Amazon situations were discussed in
this meeting and IT leaders questioned whether the cloud was se-
cure enough yet for any other
than benign data.
Are you ready for the cloud? If
so, will you use a public service
or a private cloud?
Companies are being urged to
go virtual and into the cloud to be
competitive. We usually read advice to use private clouds, not public clouds. Controlling our own cloud
can afford some degree of protection
beyond security on public clouds;
however, they are both accessible through an IP address, making
both types of cloud vulnerable.
But in addition to the security
and data integrity of cloud computing, legal and compliance issues become more ah, clouded,
– OK, more complex – when we
enter the cloud.
In the U.S., Sarbanes-Oxley requires total control over your data
from origination to destruction.
Other compliance regulations
have similar restrictions in them
that impose various punishments
for the breach of company data.
Let’s look at the Amazon case,
in which several cloud subscribers did not regain all of their data
placed on the cloud. Where does
ENTERPRISE SECURITY
that leave them? Just as our digital age has far outpaced the 1986
Computer Fraud and Abuse law
(18 USC 1030a) and the Wire and
Electronic Communications Interception Law (18 USC 2510 et
seq.), leaving us with major data
environments not mentioned with
any sort of legal recourse or protection, we are now moving fast
into the new mobile and cloud age
with newly uncharted territory for
legal compliance or recourse. With
a legal system that has not even
caught up to brick-and-mortar and
perimeter security, how can we expect any real guidance as we rush
forward into the great unknown?
Imagine that a hypothetical
Fortune 250 company, XYZ Essen-
tials, has their data stored on a
private cloud on Amazon Elastic
Computer Cloud (EC2) when the
EC2 system goes down. Suppose
XYZ is already on a legal retention
order from a court stipulating that
all data and records are to be retained with zero destruction until
released by the court. Let’s take it
a step further and say the company is under Federal Department of
Justice Investigation as well.
• Is XYZ now out of compliance
because they have data that
was lost when EC2 services
went down?
• Is XYZ still responsible for
the data it lost when it
turned control over to a
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
2 of 16
Advice
ENTERPRISE SECURITY
cloud provider?
• Does this action constitute a
loss of control from creation
to destruction?
• In the brick-and-mortar
world, if the lost data were
demanded by court order,
those data could still be recovered from company-managed backups or by forensic recovery from the hard
drives. How do we recover
data if the cloud goes down? tries. Gordon’s information assurance background has included
-- Gordon Merrill, MSIA, currently
working for major computer comlives and works in Tennessee. His panies such as IBM, managing IT
career has taken him to 48 of the projects for Fortune 250 compa50 states and to six foreign coun- nies in the risk management field,
owning his own business, and
working as a private consultant.
He was chair of the School of Information Technology at the ITT
Technical Institute in Chattanooga
for three years.
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
3 of 16
News
Analysis
Who are all these
ENTERPRISE SECURITY
and posted pornographic videos
disguised as children’s videos onto
YouTube. It’s said to have joined
with Iranians protesting the results
of the June 2009 Iranian presidential election. It’s tied to taking
down the Australian prime minister’s website in 2009 because of
the government’s plans there to
have ISPs censor porn on the Internet. Anonymous has taken up the
cause of piracy activists fighting
By Ellen Messmer, Network World
copyright law by launching denialof-service attacks against anti-piraHACKER GROUPS THAT ATTACK
When they’re angry, they hack
Anonymous or the short-lived Lulz cy groups and law firms. The group
or steal — some estimates say
into business and government sys- Security group (which claimed to
is supporting WikiLeaks, which
there are as many as 6,000 of
tems to steal confidential data in have just six members and just
publishes confidential information,
such groups online with about
order to expose information about joined forces with Anonymous).
including the U.S. State DepartOver the years, Anonymous is
50,000 “bad actors” around the
their targets, or they simply disment cables allegedly leaked by
believed to have hit targets that
world drifting in and out of them
rupt them with denial-of-service
U.S. Army soldier Bradley Manning,
include the Church of Scientology, now in a military jail awaiting trial.
— are a threat, but the goals,
attacks. These are the hackers
methods, effectiveness of these
with a cause, the “hacktivists” like the Support Online Hip Hop webAnonymous, perhaps tied to
site, the No Cussing Club website, the Sony hacking incidents, has
groups varies widely.
the shadowy but well-publicized
hacker groups?
They go by names like Anonymous, Lulz Security,
Zeus, Night Dragon, Green Army Corp, Inj3ct0r
Team; their goals, methods, effectiveness vary
launched distributed DoS attacks
against Amazon, PayPal, MasterCard, Visa and others when the
card-payment groups refused to
process donations to WikiLeaks.
Anonymous has sprung into conflicts, such as this year’s uprisings
in the Mideast, hitting the websites
of the Tunisian, Egyptian and Libyan governments. The group recently let the world know its chief focus
these days is going to be targeting
governments and corporations.
But hacktivists like Anonymous
are just one type of hacker group.
Others are out for financial gain,
well-organized to steal paymentcard numbers and personal financial data, or pillage bank accounts.
And there are groups that focus on
intellectual-property theft or steal
valuable information for national interests, or money, or both.
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
4 of 16
News Analysis
ENTERPRISE SECURITY
Here’s a look at what’s known
about some of them — including
the ones that unlike the hacktivists, seldom “Tweet” the world
about what they do.
suspects tied to $70 million in U.S.
bank heists. But the leader of what’s
called “JabberZeus” (because the
specific variant of ZeuS used Jabber
instant message to tell gang members when a victim’s online bankThe Zeus gangs
ing credentials were stolen) is still
The malware called ZeuS is debelieved to remain at large. And acsigned to plunder victims’ PCs to
cording to Don Jackson, senior secusteal financial information and ex- rity researcher at Dell SecureWorks,
ecute fraudulent high-dollar Autowhich has worked with business and
mated Clearinghouse (ACH) trans- the FBI, there are still five other sepfers in corporate bank accounts,
arate ZeuS hacker groups very active
resulting in many millions of dollars across the world. These Zeus hacker
in fraud against businesses, church groups have now been connected
groups and government agencies.
to “a billion dollars in losses,” says
The Federal Bureau of InvestigaJackson.
tion (FBI) and international law-enDogma Millions
forcement partners in the United
This group, largely Russian, runs
Kingdom, the Netherlands and the
what’s known as a “pay-per-inUkraine managed to disrupt one of
the six main ZeuS hacker groups last stall” operation to get victims to
fall in a sweep that netted about 100 download malware they’ve de-
Over the years, the more famous China hacker groups have
included Janker, founded by
Wang Xianbing, and the Green
Army Corps, founded by Gong
Wei, according to researcher
Scott Henderson, who runs the
website Dark Visitor. Although
there is no shortage of suspicion
in the U.S. that Chinese hackers
The Chinese hacker puzzle have at times worked for the ChiWith a growing number of cybernese government to steal secrets
attacks traced back to mainland
from U.S.-based businesses and
China, there’s a lot of interest
the government, there are also
in knowing about hacker groups
times when Chinese authorities
there, with speculation there are
have taken steps to shut down
many dozens of them. Security
hacker groups. For instance, refirm McAfee earlier this year reports said police last year in Huleased a report called “Night
bei province went after hacker
Dragon” which claimed hacker
group “Black Hawk Safety Net”
groups from China work regular
and its website that was providhour shifts to try and break into
ing Trojan-based malware.
Over the years, others such as
oil companies to steal data.
signed and it’s believed to have
hundreds of “affiliates” that get
paid when a malicious file is installed on a victim’s machine. The
group is known to have developed
specialized software packers and
protectors to ensure its malware,
such as rootkits, which remain undetected by antivirus products.
the Network Crack Program Hacker Group based out of Zigong have
been identified. The group used
a rootkit called GinWui in attacks
on the U.S. Department of Defense, other U.S. agencies and Japan about five years ago. GinWui
is thought to have been developed
by the group’s leader, Tan Dailin,
who has used the handle “Wicked
Rose” and later “Withered Rose.”
The Network Crack Program
Hacker Group is believed to have
transmitted a large amount of
documents to China from the U.S.
But when Dailin launched denialof-service attacks against other
Chinese hacker groups, including
Hackbase, 3800hk and HackerXfiles, these hacker groups went to
Chinese authorities, which arrested Dailin in 2009. He now faces
over seven years in prison.
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
5 of 16
Recent hacker group in
the news: Inj3ct0r Team
Some hacker groups, particularly the hacktivists, are inclined to
make their exploits public by announcing them online in some way
or dumping contents they’ve stolen
as proof of their prowess. Recently a group called “Inj3ct0r Team”
News Analysis
claimed they’d compromised a
server belonging to the North Atlantic Treaty Organization (NATO).
When contacted by IDG, the
group said the files were a “server backup, confidential data.”
According to IDG, “inside the
files was a notepad document
dated July 3 that said: “NATO
lamers! I’ve been watching you
day and night since then! W00t!
Your Machines rooted! Servers
restored to default! what else!
[Expletive deleted] you and your
crimes! And soon enough all
your stupid ideas will be published on WikiLeaks!” One industry source asked about Inj3ct0r
ENTERPRISE SECURITY
Team says it started as one individual who began finding vulnerabilities in websites and publicizing them, who then attracted
a following.
Hacker groups have a long
history. The predecessors to today’s had names like “The Legion of Doom” and “Masters of
Deception” and in the 1980’s
they mainly struck phone networks, where “they did a lot of
damage,” says Dell SecureWorks
researcher Jackson. Today’s
groups, he adds, are more “selfmobilizing, they drop in and drop
out,” and the big groups “always
have a mastermind or two.” •
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
6 of 16
Opinion
ENTERPRISE SECURITY
The Deep End
It’s time to make poor coding a felony By Paul Venezia, InfoWorld
IT’S BEEN ABOUT 18 MONTHS
since I wrote a little post on horrible website password security.
Unfortunately, I see that very little has changed, as evidenced by
Universal Music’s recent security
breach that exposed their users’
real names, email addresses, and
passwords. Similar reports seem
to surface every day now, such as
late last week at the Washington
Post and FBI contractor IRC Federal, though it’s unclear if the latter two were as wildly irresponsible as Universal Music.
You might think that a company the size of Universal Music that
has plenty of resources would be
able to follow the simplest form
of security and at least hash its
passwords before storing them.
You would be incorrect. And if you
were unfortunate enough to have
registered an account with Universal Music in the past, your information is now spread around for
anyone to see and use. For the
large number of users that re-use
passwords from site to site, their
login credentials to any number
of other resources is now public
information -- and they may not
even know it.
Also, I expect to see a bunch of
highly targeted phishing attempts
appearing quite soon -- after all,
they can send you an email, use
your real name, and (most important) reference a password that
you’ve knowingly used. Forge the
headers and include a link to a
bogus site that appears legit, and
I’ll bet they’d get a boatload of
information from unwitting users.
Frankly, I wouldn’t consider that
to be their fault at all. It’s Universal Music’s fault, top to bottom.
At this point, a brief PR hit is
the only thing a company of any
size really has to worry about
when this sort of thing happens.
Sony has been hit with wave after wave of security breaches
that have directly affected a huge
number of its customers, but with
no apparent consequences. Millions of its users have had their
account information released into
the wild, and some of that number will begin finding fraudulent
transactions in their name -- or
any of a variety of possible illegal
uses of their information. There’s
nothing they can really do to prevent it, and I’m certain that a significant portion of them may not
even know they were exposed.
Just like Sony and all the oth-
ers, Universal Music just has to
say “oops” and issue a brief press
release noting, “Hey, you might
want to change your passwords
on other sites now. Oh, and carefully inspect each email you get
since someone may hit you with a
phishing scam.” Then hope it all
dies down in a day or two.
I think it’s high time that this
level of technical absurdity be
punishable by law. The company
and employees directly responsible for constructing code so poorly that it stores plain-text passwords of millions of users and can
apparently be compromised at
will should, at the very least, be
fined a vast amount, with some
portion of that money going to
each possibly affected user and
the rest used to assist in addressing identity theft problems that
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
7 of 16
will inevitably appear following
a breach. If I had my way, there
would also be mandatory loss
of employment and possible jail
time involved for those whose unspeakably poor decisions led to
this event. Simply being on the receiving end of a server or network
hack isn’t what I’m talking about -it’s designing a system that stores
such sensitive information so
poorly that should be thought of
as criminally negligent behavior.
Let’s reframe this a bit. Sup-
pose that a developer sneaks a
function into a Web portal that
snoops a user’s name, email address, and plain-text password
during the registration process
and then stores this information somewhere. Suppose that
the portal itself is designed well
enough that the password is
hashed before being stored, but
this little function call also stores
it in plain text. Suppose that the
site is cracked and the plain-text
database downloaded and parad-
ed around the Internet. Odds are
that the developer who snuck that
function into the site would not
only be fired, but he or she would
probably be arrested for corporate sabotage or similar crimes
and face fines and jail time.
The only difference between
this hypothetical situation and
what actually happened with Universal Music and a host of other
sites is that instead of having a
bad actor slip code into a solid
design, these developers actual-
Opinion
ENTERPRISE SECURITY
ly designed their code to function
this way. They did it on purpose.
That should actually be considered a far worse crime than the
developer who snuck in the function. Incompetence is no defense,
doubly so in this case.
But I highly doubt we’ll see anything of the sort, and definitely
not soon. If Anonymous and the
various other hacktivist groups
continue on their path of exploiting horribly implemented code, all
we’ll get are more regretful press
releases and the occasional person who might fall on their sword
and quit. It’s not enough. It’s not
nearly enough.
I say throw the book at the
ones who allow these breaches to
happen. Maybe then they’ll realize
exactly how critical these design
decisions really are. Maybe then
they’ll understand that they can’t
play fast and loose with other people’s data without consequences.
But right now, they can -- and
that’s the real crime. •
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
8 of 16
ENTERPRISE SECURITY
In the wake of a breach, researchers typically focus on the
poor password choices of users, but reuse is a much greater
threat By InfoWorld Tech Watch, InfoWorld
SONY PICTURES, NEWS SITE
GAWKER, and social networking site RockYou -- following each
high-profile breach, hackers released the password file and lit
off a round of analysis of users’
password choices. The most common conclusion from researchers:
Users select poor passwords.
Yet, in the real world, choosing weak passwords is much less
dangerous than reusing the same
password at multiple sites. In a
recent paper, researchers from
Florida State University, Cisco,
and security firm Redjack found
that passwords not guessed by
cracking dictionaries can survive
brute-force attempts quite well.
“There are very few situations
where password strength really makes a difference,” says
Matt Weir, a co-author of the paper and security researcher, now
with the MITRE Corporation. Weir
and other computer scientists researched whether entropy, a common cryptographic measurement,
was a good metric of password
strength. In reality, today’s password-breaking systems focus on
guessing common passwords using techniques like rainbow tables, not on brute-force methods
of cracking. The researchers demonstrated that common estimates
of strength overestimate the difficulty in cracking easily guessable
passwords and underestimate the
difficulty in cracking more complex codes.
The conclusion: Really weak
passwords -- those having fewer
than eight characters and contained
in a password dictionary -- can be
broken easily. However, add a little
complexity, and the passwords become much harder to break.
“What immediately sticks out
is that the password cracking
sessions start out much like the
other attacks, but quickly hit a
plateau where they become significantly less effective,” the reseachers state in the paper. “Unfortunately this means that there
still are a sizable number of users who pick weak passwords
Tips
and would be compromised in
an online cracking attack.” The
research undermines the focus
on password strength, as do recent events. In particular, password strength matters little if providers don’t protect the sensitive
files that store passwords. For example, Sony Pictures allegedly
did not encrypt its password files,
allowing anyone with access to
the file, such as the hackers that
broke into the site, to have full access to all the passwords. In addition, the strength of the passwords has not mattered in many
cases because the companies
have failed to encrypt the password files, exposing weak and
strong passwords alike. The RockYou breach exposed some 30 million passwords and Sony Pictures
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
9 of 16
ENTERPRISE SECURITY
exposed a million, all allegedly
without the protection of encryption. In the face of such events,
having unique passwords is significantly more important than
strength. A unique password limits
the impact of any breach to only
the affected accounts -- a much
better situation then trying to
quickly change passwords across
all your accounts. Yet, because of
the difficulty in keeping track of
passwords across the dozens of
websites and online services to
which a person typically belongs,
most users reuse passwords.
An analysis of the Gawker password set found 76 percent of
people reused their passwords.
Another analysis that compared
Gawker and Sony found 67 percent of accounts using the same
email address also had the same
password. While many security researchers like to belittle the user
who reuses simple passwords
across multiple sites, software architect Troy Hunt, who did the latter analysis, says the user’s dilemma is entirely understandable.
“Even if you go low and, say,
use 10 characters, by the time
you add a little complexity and by
the time you accumulate a few
accounts, you have to be a savant
to remember them all,” Hunt says.
Unlike requiring strong passwords, providers cannot gauge
whether a password has been reused. Such choices are entirely in
Tips
the user’s hands, unless providers somehow find a way to force
users to use a password manager. Because of these tradeoff between security and usability, password will likely puzzle researchers
for some time to come. “We are
going to be dealing with password
problems for the forseeable future,” MITRE’s Weir says. •
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
10 of 16
ENTERPRISE SECURITY
Smartphone apps: Is your
privacy protected?
Are your apps putting
SMARTPHONE APPS can do
more than provide you with entertainment, information or useful
services -- they can also invade
your privacy.
Apps can trace your Web habits, look into your contact list,
make phone calls without your
knowledge, track your location,
examine your files and more. They
can also automatically send information such as location data to
mobile ad networks.
In addition, apps can gather
Tips
ways you can protect yourself, and
take a look at possible legislation
that may -- or may not -- help.
What information do apps
gather?
Researchers warn that a surprisyour privacy at risk? By Preston Gralla -- Computerworld
ingly high percentage of smartphone apps may threaten your
the phone number and the unique collected by multiple apps, build
app, you must tap OK underneath privacy. In October 2010, joint reID number of each type of phone: a sophisticated profile about you
the “Accept permissions” button. search by Intel Labs, Penn State
the Unique Device Identifier
and Duke University found that 15
-- and then legally sell that data to BlackBerry phones also cite per(UDID) on the iPhone, the Interna- other marketing companies.
out of 30 Android apps analyzed
missions and Apple monitors all
It’s not as if you weren’t
tional Mobile Equipment Identity
sent geographic information to
App Store apps for safety.
But do you actually pay attenwarned. Before you download
(IMEI) number on the BlackBerremote ad servers without users’
tion to what’s gathered? Have you knowledge. Seven of them also
an app, you often get to see the
ry, and (depending on the make)
the IMEI or the Mobile Equipment kinds of information that the app ever not downloaded an app based sent the unique phone identifier;
will collect about you. On Android, on what information it indicates it’s in some cases, the actual phone
Identifier (MEID) on an Android
for example, when you tap Install going to harvest about you? What
phone. Personal information that
number and serial number were
to download and install an app, a do those notices really mean?
apps gather about you can be
sent to app vendors. This can enIn this article, we’ll detail the kind able app vendors and/or advertismatched to these IDs. That means screen displays the “permissions”
you grant it when you install it. In of privacy threats you face when users to create comprehensive prothat ad networks can easily combine various pieces of information order to download and install the ing mobile apps, offer advice on
files about your likes and dislikes,
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
11 of 16
ENTERPRISE SECURITY
the places you visit when you carry your phone, your Web surfing
habits and more. They can then
use those profiles however they
want or sell them to others.
Meanwhile, in June 2010, security vendor SMobile Systems
found that 20% of Android apps
allowed third parties (that is, companies other than the app vendors
themselves) to get access to private or sensitive information. In
addition, the report warned, 5% of
the apps could make phone calls
by themselves without user intervention and 2% could send an
SMS text message to a premium,
for-pay number -- again without
the user making the call.
Apple’s iOS is not immune to
such threats. In January, a classaction suit filed in San Jose
charged Apple, the music-stream-
ing service Pandora and others
with “transmitting [users’] personal, identifying information to advertising networks without obtaining their consent.” The suit also
charged that “some apps are also
selling additional information to
ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political
views.” The case is still winding its
way through the courts.
This issue is enough of a worry
that federal prosecutors are currently investigating whether iOS
and Android apps obtain or transmit information about users without properly disclosing what they
are doing, according to the Wall
Street Journal. Pandora has already received a subpoena in the
probe, according to the Journal.
The most comprehensive inves-
tigation into the kind of information that smartphone apps gather and how they use it may be
one conducted by the Wall Street
Journal itself. The Journal examined 101 popular iOS and Android
apps and found that “56 transmitted the phone’s unique device ID
to other companies without users’
awareness or consent. Forty-seven apps transmitted the phone’s
location in some way. Five sent
age, gender and other personal
details to outsiders.”
For example, the Journal found
that that Pandora “sent age, gender, location and phone identifiers to various ad networks.” The
iOS and Android versions of a
game called Paper Toss “sent the
phone’s ID number to at least five
ad companies.” The list goes on.
The Journal also found that, as
a general rule, iOS apps sent more
personal data than did Android
apps, but the newspaper also noted that “because of the test’s size,
it’s not known if the pattern holds
among the hundreds of thousands
of apps available.”
The legal issues
There may be very little that you
can do about one of the biggest
privacy issues related to apps:
What is done with your personal
information after it is gathered by
a mobile app.
You can try to check the apps
themselves to see whether they
have privacy policies in place.
Typically, these policies can be
found in a Settings screen, on an
About This App tab or screen, or
possibly through a link at the bottom of a screen. But few apps
Tips
have or display these types of policies. TRUSTe and Harris Interactive recently studied the top 340
free iOS and Android apps and
found that only 19% of them included links to privacy policies.
Troy H. Vennon of the Juniper
Global Threat Center warns, “Many
developers are collecting device
information and storing that information on third-party servers as a
means to build ad profiles or device profiles for delivering application content.... It’s worth noting
here that nearly all free applications use some sort of adware kit
in order for the developers to generate revenue on their free applications. How many of these free
applications are collecting and
transmitting this ‘private’ device
data to build those ad profiles?”
No one knows the answers to
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
12 of 16
ENTERPRISE SECURITY
those kinds of questions, because
there are no legal requirements to
provide them.
Congress is concerned enough
about the issue that it has held
hearings on the matter. After a recent hearing of the Senate Judiciary Committee’s privacy and technology subcommittee, Sen. Al Franken
(D-Minn.), chairman of the subcommittee, called for Apple and Google
to require that location-aware apps
include privacy policies.
“Apple and Google have each
said time and again that they are
committed to protecting users’ pri-
vacy,” Franken wrote in a letter to
the companies. “This is an easy
opportunity for your companies to
put that commitment into action.”
However, that would be a relatively small step, because it would
cover only location-aware apps, and
would not limit how the apps share
personal information, only that they
reveal how they will use it.
Other senators would like to
see the federal government take
stronger measures. Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introduced the Commercial Privacy Bill of Rights Act
in April, which would require any
Web-based businesses, including
mobile ones, to give a clear notice
to consumers about what data is
being collected about them. And
Sen. Jay Rockefeller (D-W.Va.) introduced a bill that would in essence create a national do-nottrack mechanism to allow users to
opt out of being tracked. It would
apply to mobile network operators, websites and ad networks.
It’s not clear that either bill will
pass, especially because they
face opposition from groups such
as the technology trade group As-
sociation for Competitive Technology (ACT).
How to protect yourself
Given all that, what can you do
to protect your privacy when using apps?
First, keep this in mind: The
very nature of using a mobile app
exposes you to potential privacy
intrusions. So you need to balance the benefit you expect to get
from an app against the potential
privacy risk.
Even the most rigorous privacy
protectors don’t say you should
Tips
avoid downloading apps altogether.
Rather, they say, the key is making
sure that the app you’re downloading truly requires the permissions
it’s asking for. If, for example, a single-player game asks for permissions to send SMS messages, that
should be a clear warning sign, because there’s no need for a game
like that to send text messages.
Preston Gralla is a contributing
editor for Computerworld.com
and the author of more than 35
books, including How the Internet
Works (Que, 2006).
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
13 of 16
Q&A
ENTERPRISE SECURITY
David Litchfield on
It’s not sophisticated attacks, complex vulnerabilities or user errors that are the
greatest threats to database security, says this expert. By George V. Hulme, CSO
THERE’S BEEN AN INCREDIBLE
NUMBER of records breached this
year, including:
What can organizations do to better secure their databases? Who
better to address that question
than noted database security ex• The 1.27 million userIDs and
pert David Litchfield?
email addresses stolen from
Litchfield is author of “Oracle
the Washington Post jobs site; Forensics: The Oracle Hacker’s
• The Epsilon breach; and
Handbook”, the “Database Hack• The massive 77 million user
er’s Handbook” and “SQL Server
accounts pilfered from Sony
Security”, and co-author of the
Corp. Online Entertainment.
“Shellcoder’s Handbook”. He is
recognized as one of the world’s
All of this begs the question:
leading authorities on database
say is one of the most important
things organizations can do today
to keep their databases secure?
A: The first is to change all default
and simple-to-guess passwords.
The major database vendors have
recently become better at helping with this issue. In the past few
years they’ve stopped shipping database servers with default user IDs
and passwords. But for a very, very
Q: You’ve seen your share of data- long time they were shipping all of
base deployments. What would you their databases with default userIDs
security, and has uncovered hundreds of vulnerabilities in software from companies such as
IBM, Microsoft, and Oracle.
Litchfield is currently working
on V3rity, his database forensic
and breach investigation tool. He
says this free tool enables more
automated investigation of potential database security breaches.
and passwords. Certainly for older
systems, default passwords are still
a major issue. Many times, while
conducting security assessments, it
was -- and still is -- incredibly shocking to see how many organizations
run default access credentials. Another simple yet often overlooked
area is keeping software patches
up to date. While it can be very difficult with production database systems, given that they are in use,
there are ways to make sure you
keep the software up to date during
scheduled maintenance.
Q: Beyond patch updates and
good password management,
what else can organizations be
doing that they’re not?
A: Use the principle of least privilege
within their applications. This is a very
important one. People are pressured
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
14 of 16
into getting their applications running as quickly as they can. However,
when they try to manage permissions
properly, that good practice can delay
deployment slightly. So they say, “Oh
look, let’s just give users all the permissions. The application seems to
work with these settings. Let’s shove
that into production.” Not a great approach. If you don’t want a breach,
it’s really worth spending the extra
time to design an application that operates on least privilege.
Q: Give readers an idea of what
you mean. An example could
be that a customer service representative may be allowed to
look at one customer at a time,
but not do a search for all customers. And they can only see
things relevant to support. What
else would be involved?
A: That’s part of it, but it’s not just
that. Consider the registration side
of database management. That requires the ability to manage the
database. Whereas the other side,
where you’re just selecting profile
information for yourself, that only
requires select privileges. There
should be two parts of the application: one account for the registrations that has the ability to insert,
but for the other stuff, which only
requires select permissions, that
should be using a distinct account.
You should look at the application
and say, “What permissions are required where?” Rather than have
one account that has the ability to
do everything, each part of the application should only be allowed to
perform specific functions. By designing an application and using
the principle of least privilege, orga-
nizations can mitigate their risk.
Q: Does taking these precautions
add a burdensome amount of additional effort to an organization,
or push out application and database deployment schedules?
A: Only if it is back ported. Trying
to do it all later is when it costs
extra time. That is when things
start breaking down. Then, in the
heat of production, you have to investigate why it’s breaking. Doing
it from the get-go -- having a security guy working with the application developers from the start
-- might add an extra week. But
it won’t add the extra five weeks
in terms of back porting security.
And it certainly won’t add an extra ten weeks in terms of conducting an investigation if you get a
breach. And, by not doing it up
Q&A
ENTERPRISE SECURITY
front, you increase your odds of a
breach because you didn’t build
security into the application. How
difficult is all of this, really, when
compared to all of the potential
benefits to be reaped?
Other precautions organizations
can take up front is to reduce
one’s attack surface by stripping
out all of the functionality that
they don’t need. Databases come
with all these wonderful extra features, so if you’re not using things
like indexing or search and stuff
like that, strip them out because
it’s just extra attack surface.
On my website I’ve compiled a
list of the top things an organization can do to make their database
servers as secure as possible. Following the advice doesn’t solve all
risks, but does solve about 90 percent of the issues out there.
Q: None of this strikes me as exceptionally difficult for organizations to achieve.
A: It’s disheartening. What is really depressing, for me, is we do all
this really cool research into exotic
vulnerabilities, developing new attack techniques and finding new
classes of vulnerabilities. But at
the end of the day, this stuff is irrelevant when eight times out of
ten people are leaving default user
names and passwords in place. Of
what importance, really, is all of
this research and attention on exotic vulnerabilities when the basics
aren’t even being given attention.
Q: Thanks for your time, David.
It’s amazing after all these years we
are still having this conversation.
A: It’s terrifying that we’re still
having this kind of conversation.•
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
15 of 16
Resources
ENTERPRISE SECURITY
White Paper
White Paper
White Paper
Security & Trust:
The Backbone of Doing Business
Over the Internet
Choosing a Cloud Hosting
Provider with Confidence
Beginners Guide to
SSL Certificates
Cloud computing is rapidly transforming the IT landscape, and the conversation around adopting cloud
technology has progressed from “if” to “when.”
Enterprises are showing strong interest in outsourced
(“public”) cloud offerings that can help them reduce
costs and increase business agility. These cloud services
offer enormous economic benefits but they also pose
significant potential risks for enterprises that must safeguard corporate information assets while complying
with a myriad of industry and government regulations.
Whether you are an individual or a company, you should
approach online security in the same way that you would
approach physical security for your home or business. Not
only does it make you feel safer but it also protects people
who visit your home, place of business, or website. It is
important to understand the potential risks and then make
sure you are fully protected against them. In the fast-paced
world of technology, it is not always easy to stay abreast of
the latest advancements. For this reason it is wise to partner
with a reputable Internet security company.
Gaining the trust of online customers is vital for the
success of any company that requires sensitive data to
be transmitted over the Web. Most consumers are concerned that their sensitive information will be intercepted
in-transit, or perhaps the destination web site is manned
by imposters with malicious intent. Read this white
paper and learn how to best implement a security strategy
that keeps consumers’ information secure and instills the
confidence they need to proceed with transactions.
Download
Download
Download
Sponsored by
COMPUTERWORLD
Security
strategies alert
Who are all these
hacker groups?
The Deep End
Smartphone apps: Is
David Litchfield on
Security
Resources
16 of 16

enterprise security

Transcription

Documents pareils

ATS 2010 V3 EPREUVE D`ANGLAIS Commune à tous les candidats

Sujet Bac Pro Section Euro Industriel 2015

Q: How do I change my laptop password? A: You can do this by

good secure content suite

Change Your Password - CRISTA Remote Access Portal

Terms of use for online services

good secure collaboration suite

good secure mobility suite

Cain and Able A disturbing Tutorial

digiSchool group has just concluded a 14 million euro fundraiser to