Tuesday, August 10, 2010

InfoSec monitoring in the hands of non-InfoSec people

Here's what happens when you give a non-InfoSec person the tools without giving them the training and the duty that comes along with being a professional.

Girl quits her job using a whiteboard, pictures and email

Don't get me wrong, its funny, and we see this type of web usage in companies more often than not, but her conduct was still not professional. She may not be as trusted in her new job.

Saturday, August 7, 2010

Google Android apps ‘collecting personal data’

This article isn't that surprising. I'm actually surprised that its not more of an issue, meaning that we've not seen web browser history being sent back and even keyloggers being put into Android apps. With the proliferation of smartphones and people's shift to performing more and more financial transactions through their phones, this is the next ripe target for malware writers. It would seem that they've largely stuck to writing malware (viruses, keyloggers, etc) for the Windows population, but writing apps for Android apparently is quick and easy. AND there's little scrutiny to getting an application into the Google Marketplace.

Maybe Apple's model of tight control over their store is good, it just has to be tuned to look for security issues. It would be great to have a set of tools/apps that they could run an app through as a security assessment and evaluation to whether or not this application needs to gather phone numbers, voice mail numbers, etc. Control, document and push back if there's no logical reason why this information needs to be gathered. Doing this would protect the users and be doing a service to the #1 smartphone OS being sold at this time.