Tuesday, August 10, 2010

InfoSec monitoring in the hands of non-InfoSec people

Here's what happens when you give a non-InfoSec person the tools without giving them the training and the duty that comes along with being a professional.

Girl quits her job using a whiteboard, pictures and email

Don't get me wrong, its funny, and we see this type of web usage in companies more often than not, but her conduct was still not professional. She may not be as trusted in her new job.

Saturday, August 7, 2010

Google Android apps ‘collecting personal data’

This article isn't that surprising. I'm actually surprised that its not more of an issue, meaning that we've not seen web browser history being sent back and even keyloggers being put into Android apps. With the proliferation of smartphones and people's shift to performing more and more financial transactions through their phones, this is the next ripe target for malware writers. It would seem that they've largely stuck to writing malware (viruses, keyloggers, etc) for the Windows population, but writing apps for Android apparently is quick and easy. AND there's little scrutiny to getting an application into the Google Marketplace.

Maybe Apple's model of tight control over their store is good, it just has to be tuned to look for security issues. It would be great to have a set of tools/apps that they could run an app through as a security assessment and evaluation to whether or not this application needs to gather phone numbers, voice mail numbers, etc. Control, document and push back if there's no logical reason why this information needs to be gathered. Doing this would protect the users and be doing a service to the #1 smartphone OS being sold at this time.

Sunday, August 1, 2010

The new Facebook issue is the same old Facebook issue, yet again

The Facebook Data Torrent Debacle

Security dude, Ron Bowes, did a couple of notable things. He programmatically gathered, or harvested, names and profile links of 171 million Facebook users. This was publicly available information so he did not have to break into anything to do this. He simply wrote a script to plow through all of the data he could find through Facebook's public profile directory. He then took it and provided a way for people to download the large amount of data that he gathered.

The media (I guess me too at this point) latched on to this and started talking about it. While this is interesting data, the fact of the matter is that it shouldn't be that surprising. If you've made your data public, then that means that people will be able to see it. The fact that only about a third of the total number of Facebook users are in the directory should tell you that many people have changed their settings to prevent this. If you don't want people to see your information, change your permissions so they don't. Or, as always, don't use social networking sites all together if you don't want to be discovered online.

My last thoughts on this are more from a core information security operations perspective. It would seem that Facebook doesn't have anything in place to detect large scale probing, scanning or harvesting data from their sites. There doesn't seem to be any sort of traffic analysis or monitoring of their internet property to detect when someone is working to gather all of the information they can from their site. Facebook seems to have faith in the code that their publishing to the Internet is solid and secure, and that only the information they are intentionally sharing is the only information they're actually sharing. Because of this, I guess they wouldn't necessarily need to have this level of visibility or awareness, but when is the last time any developer or company was 100% sure of their Internet-facing applications and what vulnerabilities they have? Could they have prevented this? Should they have prevented this?